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Wi ndows Server2008 


In a connected world, retreat is not an option. 
The new Windows Server® 2008 dodges attacks 
with built-in Network Access Protection, a 
Read-Only Domain Controller, and a Server 
Core installation option that help dramatically 
reduce vulnerabilities. So you get superhuman 
reliability. It's the server unleashed. 


Meet the new Windows Server 2008 

at serverunleashed.com 
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IT PRO HERO 

22a Smooth Windows Vista Migration Is 
Possible 

If FUD keeps you Vista-resistant, take heart from the Windows Vista 
migration tale of Penton Media IT's Brent Mammen, Chris Ripkey, and 
Lucas Smith. Good preparation, end-user training, and testing helped them 
avoid migration show-stoppers—and can help you, too. 

BY CAROLINE MARWITZ 


Access articles online a t www.winclowsitpro.com. 

article) in the InstantDoc ID text box on the 
home page. 

COVER ILLUSTRATION BY RYAN ETTER. 
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COVER STORY 


21 Vista Deployment Postmortem 

Traveling the road to Windows Vista? You can learn how to get there while avoiding detours, road 
construction, and bridge trolls by talking to administrators who've already made the trip. Michael 
Dragone shares his deployment experiences, both good and bad. 

BY MICHAEL DRAGONE 
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17 Reader to Reader 

Use dcomcnfg.exe to fix DCOM problems, 
plus save time by querying only online 
computers. 


19 Ask the Experts 

Learn about IE's quick-complete string feature 
and how to modify it, find out about VMware's 
VMotion and Dynamic Resource Scheduler 
technologies, and get some tips on VM 
security. 
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FEATURES 

29 Windows Server 2008's 
Radical Features 

Learn how Windows Server 2008 will transform 
server computing with componentization. Server 
Manager, read-only domain controllers, and other 
radical features that offer scalability, reliability, and 
security. 

RYPAlll THIIRROTT 

30 Windows Server 2008 Availability and Licensing 


35 VMware and the Future of 
Virtualization 

What's next for virtualization and business IT? 
Windows IT Pro speaks with VMware President and 
CEO Diane Greene on the future of virtualization 
technology. 

BY JEFF JAMES _ 

36 Need to Save Money? Build Green and Virtualize 


SOLUTIONS PLUS 

38 Secure Your Exchange 
Server 

Use two Exchange 2007 XML files in conjunction 
with Windows Server 2003 SPI's Security 
Configuration Wizard to harden your environment. 

BY BRIEN POSEY 


43 PowerShell 101, Lesson 6 

The PowerShell 101 series concludes by 
introducing you to PowerShell's providers and 
drives. 

BY ROBERT SHELDON 


SOLUTIONS PLUS 

48 Bringing iSCSI SAN and 
Virtualization Together 

Two complementary technologies—iSCSI SANs 
and system virtualization—hold the power to 
completely change your systems management 
processes. Here's how to implement them to their 
full advantage. 

BY ED ROTH 
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53 Safeguard Your SharePoint 
Content with Data Protection 
Manager 

Microsoft System Center Data Protection Manager 
(DPM) 2007 gives administrators a rich set of 
SharePoint recovery tools that offer advanced 
snapshot-based recovery of item-level SharePoint 
content as well as the entire SharePoint 
infrastructure. 

BY MICHAEL NOEL 



























59 Industry Bytes 

Jeff James shares highlights from the Microsoft Management 
Summit (MMS) 2008 and Interop trade shows. 


REVIEW 

60 Paul's Picks 

In the newest Microsoft Forefront security application, code- 
named Stirling, Forefront's security tools let you automate 
responses to security threats; plus, smart phone users should 
keep an eye on REDFLY Mobile Companion, a device that could 
replace your laptop. 

BYPAULTHURROTT 


REVIEW 

60 LANDesk Application Virtualization 

LANDesk Application Virtualization doesn't require the 
infrastructure of higher end application virtualization products 
and no client software is needed—two of the many reasons you 
should look closer at this solution. 

BY MICHAEL OTEY 
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61 KBOX1100 Systems Management 
Appliance 

KACE Networks'systems management appliance delivers a 
huge range of standard and optional features, from hardware 
and software inventory to patch management. We cover the 
highlights for you. 

BY JOHN GREEN 
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63 Virtualization Shootout, Part 2 

Find out whether Microsoft's Flyper-V matches the performance 
levels set by VMware's ESX Server. 

BY MICHAEL OTEY 


64 The Good, the Bod, and the Ugly 


BUYER’S GUIDE 

67 Event-Log Managers 

Event-log managers organize system event information for 
problem alerts, regulation compliance, and network and asset 
analysis. Use our introductory questions to help choose the 
features you need. Then review the 22 detailed event-log 
managers listed in our online product chart. 

BY KAREN BEMOWSKI 
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68 Readers Review Hot Products 

Readers highlight their favorite products from StillSecure, Utility 
Factory, and Secure Computing. 

BY JEFF JAMES 
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5 Making a Mesh of IT? 

Find out how Live Mesh fits Microsoft's Software 
Plus Services (S+S) strategy. 


57 New & Improved 

Check out the latest products to hit the marketplace. 
PRODUCT SPOTLIGHT: AVTECH Software's Room Alert Signal 
Tower 


THURROTT I NEED TO KNOW 

10 Microsoft Live Mesh 

Call it cloud computing. Software Plus Services, 
or S+S—Microsoft Live Mesh is an operating 
environment that offers a Web-based version of 
the Windows Vista desktop and a browser-based 
feature to remotely access the desktop of any 
linked PC. Call it an important move for Microsoft. 
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13 Fine-Tune Server Core's IP 
Stack with Netsh 

To get Server Core's network stack set up, you can 
use the Netsh utility, which has gone through 
some recent changes. Here's how to use the 
latest incarnation. 
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15 Command-Line Tools in 
Windows Server 2008 

Windows Server 2008 provides command-line 
tools for managing your systems. Use leads to 
back up ACLs, Wbadmin to back up your whole 
system, and ServerManagerCmd to script Server 
Manager actions. 










































Upgrade to Nexi-Generation 
Antispam/AntMrus for Exchange, 



Ostemtan Research: "Half Ute admin time!" 



AWARDS 


2007 

WINNER 

Honored in the U.S. 




Meet Sunbelt Ninja Email Security: The award-winning all-in-one, best-of-breed, 
third-generation email security solution. Ninja is a plug in framework that 
integrates best-of-breed antispam, antivirus, disclaimers and SMART attachment 
filtering on your Exchange server. 

Half the admin time: Independent research shows that Ninja requires one-half the IT 
time to manage than other comparable email management systems.* With its MMC 
interface. Ninja is easy to manage so you can get up and running in minutes vs. hours. 

Better multi-engine spam detection: 

Ninjas filtering decimates junk mail and 
image spam with both Cloudmark (which 
includes antiphishing) and Sunbelt’s own 
heuristics-based iHateSpam engines. Of 
course, it also supports RBLs and SPE 

Integrated multi-engine antivirus: Ninja 

combines the power of multiple 
high-quality AV engines. 

Great end-user control: The policy-based 
plug-in architecture allows you powerful, 
granular control. You can finally rule with 
an iron fist. 



SMART attachment filtering: Ninja features the first flexible policy-based attachment 
filter that isn’t fooled by extensions. It looks inside files to determine their true identity. 
Your policies decide what happens to all attachments. 


Download your evaluation copy at: 

www.sunbeltsoftware.com/niniawinb 



Sunbelt Software 


Email sales@sunbeltsoftware.com or call 888-688-8457 
for your 50% discount competitive upgrade quote 


Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 www.sunbeltsoftware.com sales@sunbeltsoftware.com 

The competitive upgrade is based on 50% of Ninja list price. 

© 2007-2008 Sunbelt Software. All rights reserved. Ninja Email Security and Suspicious Mail Attachment RemovalTechnology are trademarks of Sunbelt Software. All trademarks used are owned by their respective companies. 
*Based on Osterman Research report "Comparing Email Management Systems that Protect Against Spam, Viruses, Malware and Phishing Attacks". December 2006. 

























IT PRO PERSPECTIVE 


Forster 

"Live Mesh might just be the 
piece that will eventually 
complete the .NET picture." 



Making a Mesh of IT? 

A key piece of the S+S puzzle, or a random distraction? 


M icrosoft is like a complex jigsaw puzzle for grown¬ 
ups—but the kids tossed in a few random pieces 
from their puzzles. Think about Microsoft's over¬ 
all product strategy: Some offerings lock together 
seamlessly so that you can see how the finished 
picture should look. The management strategy 
anchored by the System Center products is a good example. Other 
pieces appear to fit but really don't. MSN comes to my mind. And 
still others look wrong, but end up being exactly what you need to 
complete the tricky section that looks like it will be a cloud. 

As a possible candidate for that last category, I've been contem¬ 
plating some edge pieces that are forming a view of Microsoft's Soft¬ 
ware Plus Services (S+S) strategy. 1 just picked up a piece, Microsoft 
Live Mesh, that appears to be a corner—but then again, maybe it's 
only part of the kids' Mickey Mouse puzzle. 

Live Mesh is currently in its earliest stages of pre-beta develop¬ 
ment and available only through a private technical preview. So it's 
premature to speculate about the product's eventual significance. 
Nevertheless, after playing with Live Mesh, 1 found that it is already 
surprisingly useful, even with its still-limited feature set. Most 
intriguing, though, is the sense that Live Mesh hints at how S+S could 
actually provide practical solutions and become enmeshed with IT. 
(For details on what Live Mesh is, see Paul Thurrott's "Microsoft Live 
Mesh," page 10.) Examining the Microsoft puzzle. I'm trying to see 
how Live Mesh fits—or doesn't fit—the company's big picture. 

Beyond OSs and Applications 

Microsoft insists that it is a "platform" company. This insistence signals 
that the company offers more than discrete software products; it also 
combines these products to produce end-to-end solutions. Examples 
include business intelligence (Bl) and unified communications (UC). 
But the platform message also conveys a more far-reaching strategic 
direction. Microsoft is setting the stage to go beyond selling OSs and 
applications and to evolve its business model toward enabling Web- 
based revenue opportunities: Take Microsoft's push to be an advertis¬ 
ing "platform" a la Google, for example. 

Live Mesh is a further, and potentially more significant, example 
of Microsoft's platform strategy. According to Jeff Hansen, general 
manager. Live Services Marketing, "Live Mesh is a S+S platform 
that enlivens devices by making them aware of each other over the 
Internet. Not surprisingly since Microsoft at its core is a platform 
company and the Live Mesh group resides in the platform organiza¬ 


tion, the solution they came up with is a platform. The best analogy 
to think about is Windows." 

Windows is indeed a good analogy. And although it would be 
blasphemy for anyone at Microsoft to admit the idea. Live Mesh 
(or something like it) could end up following the same route fi-om 
consumer to enterprise as Windows, and even (gasp!) replacing Win¬ 
dows some day. Jeff noted the future importance of Live Mesh: "The 
Live Mesh group is part of our Live Platform Services group, which 
built the platform technologies for all Live offerings and beyond. So 
for some of those technologies. Live Mesh represents the next genera¬ 
tion. All of that is part of our emergent services platform strategy." 

At this early stage. Live Mesh is positioned as a consumer play, 
and Microsoft is engaging developers to create Live Mesh applica¬ 
tions that will entice customers when the product is released. But 
business IT is definitely on the radar. Jeff said, "Over time there'll 
be relevance to IT and business scenarios. In fact, the team built 
the platform from day one thinking about unique needs (such as 
provisioning) for the enterprise IT department. They even thought 
through allowing an organization to have the mesh cloud, or a por¬ 
tion of the mesh cloud, reside on their own servers on premise. So 
[Microsoft] built the platform to accommodate those scenarios. We 
don't have those scenarios out today." 

Should You Care? 

In 2000,1 attended a Bill Gates briefing on a new Microsoft vision. 
This radical paradigm foresaw technology that would follow you 
seamlessly from your job to your car to your doctor's office to your 
bank—everywhere. This vision was called .NET. Excitement about 
.NET became so pervasive that everything at Microsoft got .NET 
appended to it. People even joked that Microsoft's restrooms were 
labeled "Women.NET" and "Men.NET." But .NET got scaled back as 
the company realized its ambitions outreached its abilities. 

Microsoft history is replete with exciting ideas that never materi¬ 
alized. For now, though, it looks like the .NET vision has risen again, 
and this time technology has advanced enough to make it feasible. 
Live Mesh might just be the piece that will eventually complete the 
.NET picture. ^ 

InstantDoc ID 99280 


KAREN FORSTER (karen@windowsitpro.com) is editorial and strategy 
director for Windows IT Pro and SQL Server Magazine and former director 
of Windows Server User Assistance at Microsoft. 
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■ PowerShell Kudos 

■ Windows Defrag 


■ Command-Line Fear 

■ Antivirus Fine Print 


PowerShell to the Rescue 

I don't often take time to thank authors 
for their articles, but the timing of "Power- 
Shell 101, Lesson 4" (May 2008, InstantDoc 
I D 98447) was so fortuitous that I had to 
drop a line. I'm an IT generalist, and some¬ 
times it's difficult to determine which 
articles I should spend my limited time 
reading. One series I've been keeping up 
with is Robert Sheldon's PowerShell series. 

The day after reading Lesson 4,1 was 
trying to use Exchange Management 
Shell to run a built-in script to make pub¬ 
lic folder changes. I had successfully run 
the command once, so I knew my syntax 
was correct. But when I used the up 
arrow to bring the command back, then 
simply changed the name of the folder, 
it kept failing. However, when I used the 
public folder name with other Exchange 
Shell commands, they worked. The folder 
name contained two words separated by 
a space, and I was trying to submit the 
name inside double quotes (as per Micro¬ 
soft documentation)—that is,"X Y". 

Based on the error, it seemed the 
script was interpreting word Y as a 
command instead of part of the folder 
name. I theorized the script was receiv¬ 
ing X Y from the script instead of "X Y". 

So, how would I get the name to the 
script still in quotes? Did I remember 
something about quotes within quotes? 

I tried "'X Y'". Sure enough, it worked like 
a charm. So, thanks to your impeccable 
timing, I avoided a very long day. 

—Rich Van Alstine 
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How many Microsoft products include I 
the word “Essential” in their names? I 



Can you name them all? 
Answer upside down. 
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READER FEEDBACK 


What About Windows' Built-in 
Defragmenter? 

Your product comparison in "3 Enterprise 
Disk Defragmenters" (May 2008, Instant- 
Doc I D 98577) was very interesting. I'd like 
to know how well these defragmenters 
compare with the included—and free— 
Windows Disk Defragmenter in the way 
they analyze and defragment drives and 
files. Such information would help me de¬ 
cide whether the extra features of the three 
defragmenters you tested make a purchase 
worthwhile. 


—Sergio Monaco 


Thanks for the feedback! 
You bring up an excel¬ 
lent question. Windows' 
built-in tool is by no 
means a poor choice. 

On the contrary the tool 
was created by Execu¬ 
tive Software (the same 
company that created Diskeeper) and licensed 
by Microsoft. However, the tool is limited. Ver¬ 
sions earlier than Windows Vista's incarnation 
can't be easily scheduled, and it can't defrag 
system files (e.g., the hibernation file, the paging 
file, the Master File Table — MET) that are in use. 
Third-party tools also do a better job of defrag¬ 
menting the hard diskin one pass, whereas the 
built-in tool might require multiple passes. And 
if you need to centrally manage the defragmen¬ 
tation of all your servers or workstations, you'll 
have to look at the third-party tools. 

—Eric B. Rux 

"Windows'built-in 
defragmenter is by no 
means a poor choice. 
But it's limited." 



Don't Fear the Command Line 

I just wanted to take a moment and tell you 
that Mark Minasi's Windows Power Tools 
columns (windowsitpro.com/departments/ 
departmentlD/929/929.html) are fantastic. 

It's always a breath of fresh air when some¬ 
one isn't afraid to talk about the benefits of 
the command line. 

—Bryan Purtell 


Antivirus Scanners: 

Read the Fine Print! 

After reading Gayle Rodcay's excellent 
"Enterprise Antivirus Software" Buyer's 
Guide (May 2008, Instant Doc I D 98441) , I 
thought it was important to clarify the fol¬ 
lowing sentence:"Antivirus products should 
scan memory, all drives, and the registry." 
The "all drives" reference would read OK 
if the author specified antivirus scan 
exclusions. 

More specifically, for Microsoft Exchange 
Server systems, it's important that file-level 
antivirus scanners don't scan the Exchange 
databases and transaction log drives.These 
scanners can mistakenly identify the structure 
of transaction logs as virus-like and delete or 
quarantine the log! I'm always surprised by 
how many companies install file-level scan¬ 
ners on their Exchange servers without defin¬ 
ing exclusions. 

Please refer to the Microsoft articles "The 
Exchange database store may not mount in 
Exchange Server 2003 or in Exchange 2000 
Server, and event IDs 9175,486,455,413, and 
5 may be logged" (support.microsoft.com/ 
kb/896143) and "Overview of Exchange 
Server 2003 and antivirus software" (support 
.microsoft.com/kb/823166) for further infor¬ 
mation. 

—Richard Martin 


InstantDoc ID 99285 


In "Need to Know" (May 2008, InstantDoc ID 98444), we incorrectly 
referenced Microsoft Unified Communications Server (UCS).The correct 
product is Microsoft Office Communications Server (OCS). 
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Optimum Virtualized 
Server Backup 

If you ask IT professionals what their 
hot topics are right now, you can be 
sure that the subject of virtualization 
comes up. Whether you're virtualizing 
applications or servers, the ability to 
deliver virtualized services is key for 
IT departments today. Virtualization 
simply makes technical and economic 
sense in terms of improving the 
efficiencies of your operations. Down¬ 
load this podcast to learn more. 

windowsitpro.com/podcast/lndex.cfm ?fuseaction= 
ShowRegistration&PCID=191 a232a-ff43-4fe7-9 
be5-6acb68a6d7ff&code=iulycitc 

Microsoft Exchange and SQL 
Server Storage Solution 

This white paper reviews storage 

challenges, such as DAS management 

and tape-based backup and recovery, 

and introduces a solution that offers 

advanced protection architecture, 

instant backups and restores, fast 

disaster recovery, and simplified 

manageability of the Ul 

Download this white 

paper and discover 

the difference this 

solution can make in 

your organization. 

www.windowsitpro 
.com/go/wp/storevault/ 
snapmanager/?code=julycitc 


Humphries 

The missing link 
to IT resources 



Is Your Active Directory 
in the Toilet? 

If you don't know what you're doing, it could all 
go down the drain 



Fax Server Technol¬ 
ogy—What Are the IT Benefits? 

Even customers who aren't very 
comfortable with computers are 
comfortable with faxing, and fax 
servers can enhance the productivity 
of just about any organization. From 
the perspective of the IT department, 
implementing a fax server solution 
brings benefits to both users and 
those who support them. Down¬ 
load this eBook to see how you can 
implement a solution that's easy to 
support, secure, and integrate! 
www.windowsitpro.com/go/eBook/Captaris/ITFax 
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T he best lessons are those you 
learn in the bathroom. About 
a year ago, 1 dropped my cell 
phone into the toilet. (Don't 
ask.) Although my phone had 
survived previous underwater 
adventures, this time it went kaput. 

When 1 got my replacement phone, 1 
decided that instead of transferring my 
contacts, I'd try to memorize all the num¬ 
bers. Not surprisingly, my plan turned 
out just like my original phone's trip to 
the john. When 1 missed a call, 1 had to 
wait to reply until 1 could double¬ 
check the number (which 1 rarely 
remembered to do), resulting 
in many forgotten, unreturned 
calls—and as you might guess, a 
few unforgiving friends. If 1 could 
have dedicated more time to the 
project, 1 would have completed it 
successfully (and still be on speaking 
terms with a few more pals). But 1 was too 
busy with the other things 1 had to do, so 
my efforts fizzled out. 

Recently, one of our resident experts 
(aka editors), Caroline Marwitz, told me 
that IT pros feel the same way about Active 
Directory (AD)—but unlike me, they can't 
give up. After Caroline brought me up 
to speed about what the heck AD is, she 
explained that most IT pros don't special¬ 
ize in AD—it's just one item on their lengthy 
to-do lists. AD is complex, and some read¬ 
ers told her that they don't have the time 
to learn all its ins and outs and need guid¬ 
ance. For those who feel the same way, she 
recommends the January 2008 Windows 
IT Pro article 'Avoid Active Directory Pain," 

We're in IT with You 


InstantDoc ID 97611. And 
(if you promise not to 
notice that it's some¬ 
thing I should have cre¬ 
ated) you should check 
out Caroline's "compen¬ 
dium of Active Directory 
articles" at InstantDoc ID 
95586. 



When our company 
merged with another organi¬ 
zation, our AD was all screwed 
up. (Honestly, it kind of still 
is.) At the time, 1 was 
quick to criticize; 1 
didn't understand why 
people no longer work¬ 
ing at the company were still in my Outlook 
address book. But after losing the battle 
with my Contacts list and my enlightening 
conversation with Caroline, 1 get it. 1 now 
have a new respect for all our Penton IT 
folks—it can't be fun fishing AD out of the 
potty. 
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eNews Generation 

Build your HTML and text e-newsletters 
fast using the powerful eNews Genera¬ 
tor, a free e-newsletter builder that 
lets you combine your message with 
articles from Windows IT Pro, SQL Server 
Magazine, Paul Thurrott's Win Info, Con¬ 
nected Home Express, and JSIFAQ. For 
more information, go to usergroup 
.windowsitpro.com/generator or read 
my blog post at InstantDoc ID 99156. 


www.windowsitpro.com 















ALTERNATIVE THINKING ABOUT VIRTUAL STORAGE: 


VIRTUALIZE STORAGE NOW. 


A powerful business innovation in data storage is now within your 
reach. The new HP StorageWorks 4400 Enterprise Virtual Array is here. 

It virtualizes up to 96TB of storage—across numerous storage servers and 
platforms—simplifying storage management and speeding access. Less 
limitations. More freedom. Technology for better business outcomes. 


HP STORAGEWORKS EVA4400 


Up to 96TB virtual storage capacity. 

• Enterprise-class performance 

• Over 30% better capacity utilization* 

• Up to 75% less time needed to 
configure and manage* 

• Easy application integration 


Now's the time for virtual storage. 
Visit hp.com/go/virtualstorage13 
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Thurrott 

"Microsoft has been working 
secretly on a cloud computing 
platform." 


NEED TO KNOW 


Microsoft Live Mesh 

New operating environment offers remote PC access and Web-based desktop 


W ith Microsoft Live Mesh, Microsoft enters the so- 
called cloud computing market and announces 
its intent to firmly embrace this emerging com¬ 
puting trend. The announcement is important 
for several reasons, most obviously because it's 
the first time the company has ever shipped a 
product that will compete head-to-head with its traditional and lucra¬ 
tive desktop-based offerings. But Live Mesh, like cloud computing 
itself, is still widely misunderstood, and it's unclear at this time how 
Microsoft's new "service in the cloud" will affect its bread-and-butter 
corporate customers. Here's what you need to know about Microsoft 
Live Mesh. 

Understanding Cloud Computing 

Although traditional software makers such as Microsoft have been 
plying PC-based desktop software for decades now, the emergence 
of pervasive broadband access to the Internet has fundamentally 
changed our expectations. Now, software applications and updates— 
even OSs—are deployed and installed fi-om the Internet or are even 
run directly fi-om the Internet, threatening to put an end to traditional 
media-based software delivery. 

Internet-based software delivery is reminiscent in many ways of the 
pre-PC networking environments that mainfi-ame and mini-computer 
makers were offering 20 years ago. So it shouldn't come as a surprise 
that cloud computing also encompasses another aspect of that 
once-quaint computing model: That is, it too doesn't rely on the local 
processing and rendering power of an individual PC. Instead, cloud 
computing solutions actually run in the Internet "cloud" via a Web 
browser, such as Microsoft Internet Explorer (IE) or Mozilla Firefox. 

Before you assume that a scenario in which we return en-masse 
to the shared-computing-resource days of the 1970s is fanciful, con¬ 
sider that some of today's most frequently used software solutions 
are delivered as cloud computing services. Google's Gmail, Google 
Calendar, and Picasa Web Albums are all Web-hosted services, as are 
similar solutions from Microsoft (Hotmail, Windows Live Calendar, 
Windows Live Spaces) and Yahoo! (Yahoo! Mail and Calendar). And 
let's not forget social-networking solutions such as Facebook and 
MySpace and even enterprise solutions such as Microsoft Exchange 
Hosted Services an d Salesforce.com' s CRM services. 

For many computer users, the notion of installing (let alone man¬ 
aging) more than a few basic local applications on the PC is becoming 
passe. Users can access their data and software solutions fi'om any 


PC—and, increasingly, fi'om other devices—anytime they want. In 
this sense, cloud computing is as much a revolution as it is a reminder 
of days gone by. Unlike the mainframe and mini-computer environ¬ 
ments of the past, cloud computing solutions are hosted on the public 
Internet and are thus open to one and all. And thanks to a growing 
interest in open-source and advertiser-supported solutions, much of 
what makes cloud computing so attractive to people is that it's free. 

Microsoft's Response: Software Plus Services 

As has been the case with so many computing initiatives over the 
years, Microsoft has adopted cloud computing slowly and belatedly, 
leaving the market wide open for faster competitors such as Google 
and smaller startups. For pragmatic reasons—its traditional Windows, 
Windows Server, and Office product lines continue to generate bil¬ 
lions of dollars of revenue every quarter—Microsoft has sought over 
the years to extend its desktop and server products with online ser¬ 
vices capabilities instead of fully embracing cloud computing. 

In Windows, this online-services strategy originally meant dupli¬ 
cating the success Microsoft had merging IE into Windows, an action 
that destroyed then-market-leader Netscape: Witness the multiple 
instances of so-called middleware—bundled products like Windows 
Messenger, IE, and Outlook Express—that Microsoft introduced in 
Windows XP. However, with antitrust regulators on three continents 
threatening and, in at least two high-profile cases, actually deliver¬ 
ing legal remedies against the company, Microsoft had to change its 
strategy. 

Microsoft's new strategy has settled into an arguably logical plan 
that Microsoft calls Software Plus Services. S+S makes sense: Micro¬ 
soft says it will combine the best of its traditional desktop and server 
software with a new generation of Web-based services, providing 
customers with a best-of-both-worlds experience that combines 
the maturity and richness of Windows and Office with the pervasive 
online capabilities of true cloud computing solutions. 

So while Google is busy building a replica of Microsoft Word circa 
1985 in its Google Docs solution, Microsoft has extended its well- 
received and widely deployed Office suite with online services such 
as Office Live Workspace (online collaboration). Office Live Small 
Business (online presence, marketing, and sales), and AAfindows Live 
SkyDrive (Web-based document storage). And while consumers are 
free to continue using services such as Hotmail and Windows Live 
Calendar, Microsoft is also offering Exchange Hosted Services for 
businesses that need the power of Exchange but lack the facilities to 
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sent through email messages and 
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n Percent 

of companies involved in legal or 
regulatory actions had email requested 
as part of the discovery process * 


DISCOVER • RECOVER • EXPORT 


DISCOVER: Create and reuse advanced queries to search a 
single data source or across multiple Backup Conies of 
Exchange Information Stores or Live Exchange Servers 

as well as PST’s and DigiVault data sets to find the required 
evidence within emails, attachments and meta-data. 

RECOVER: Use DigiScope’s intuitive Outlook interface to 
restore information via drag-&-drop to a specific location 
or select SingleTouch'^'^ recovery to automatically restore 
mailboxes, folders, or individual items to original locations 
within the live Exchange Server. 

EXPORT: Search results can be optionally de-duplicated 
and then exported to multiple formats including, XML, 
MSG, and PST’s with various options to support data 
migration as well as further review or legal analysis. 
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host it themselves. Microsoft SQL Server will 
join this list as well with the new SQL Server 
Data Services. 

Microsoft is also investigating methods 
of monetizing what will eventually become 
cloud-based services. This is typically done 
through subscription means, such as the 
Software Assurance (SA) volume licensing 
program with which many enterprises are 
familiar. But Microsoft has also been trying to 
get consumers accustomed to subscription- 
based software services, most frequently 
through a series of Office-related schemes. 
The most recent, currently code-named 
Albany, will combine Office 2007 Home and 
Student Edition with the company's Win¬ 
dows Live OneCare security service and sev¬ 
eral Windows Live and Office Live services 
and will ship by the end of2008. 

While it's in keeping with the company's 
core strengths, Microsoft's S+S initiative is 
obviously a stop-gap measure bridging the 
traditional software of the past and the Web- 
based services of the future. As time goes 
by, Microsoft and competing technology 
companies will deliver an ever-increasing 
number of products via the cloud and fewer 
products locally with even fewer delivered via 
traditional retail packaging. 

Why Live Mesh is Different 

Sensing the industry change, Microsoft has 
been working secretly on a cloud computing 
platform called Live Mesh. Available now 
in beta. Live Mesh is an operating environ¬ 
ment that can run on the Web, offering 
Web-based management and synchroni¬ 
zation of Windows-based PCs, Macs, and 
various smart phones and other mobile 
devices. What makes Live Mesh different 
from Microsoft's previous S+S efforts is that 
it's platform agnostic—the company is sup¬ 
porting a host of non-Microsoft devices—and 
that it will support an application execution 
environment that will be common among all 
supported devices. Furthermore, Live Mesh- 
based applications can take advantage of 
outside Web services and vice versa, thanks 
to its open programming model. 

In its beta form, however. Live Mesh offers 
only a small subset of the projected function¬ 
ality. Three basic services are available: 

Web-based desktop. Exposed as a device 
in your "mesh" of connected devices, the 
Live Desktop is a Web-based version of the 
Windows Vista desktop that you access from 


any Web browser, complete with RSS-style 
"news" updates (really an ongoing stream 
of information about any updates to your 
mesh), ways to remotely connect to your 
linked PCs, and access to the contents of your 
shared folders. 

Folder sharing. As with Microsoft's Fold- 
erShare service. Live Mesh offers folder shar¬ 
ing capabilities between any and all linked 
PCs (and, later, other devices) and the Live 
Desktop. As documents and other files in 
these shared folders are changed (or added 
or deleted), any other PCs and devices that 
are linked to the shares are updated as well, 
automatically and almost instantly. These 
synchronized folders reside online, in the 
Web-based Live Desktop, and on linked PCs 
in your mesh. 

Remote PC access. Utilizing a browser- 
based Remote Desktop-like experience. Live 
Mesh lets you remotely access the desktop 
of any linked PC, assuming it's on and con¬ 
nected to the Internet. It does this without 
any configuration of any kind on either end 
of the connection, and it even works with 
non-business versions of Windows, includ¬ 
ing XP Home and Vista Home Premium, 
which don't natively include Remote Desk¬ 
top functionality. 

As noted previously, Microsoft intends to 
be aggressive about supporting non-Micro¬ 
soft devices. The theory here is that most 
individuals today don't actually use just a 
single device. Instead, people increasingly 
use multiple PCs (and Macs) both at home 
and at work. They own and access desk¬ 
top PCs and laptop computers. They have 
smart phones, MP3 players, digital cameras, 
and other mobile devices. And they have 
a host of online personas via email and IM 
services, social networking memberships, 
e-commerce sites, and other online com¬ 
munities. As users, we manage these dispa¬ 
rate components separately and with great 
difficulty. Microsoft is seeking to take this 
heterogeneous computing environment and 
make it centrally manageable. 

Live Mesh and Businesses 

Coming as it does out of the V\ffiidows Live 
group at Microsoft, the initial beta version 
of Live Mesh is indeed somewhat consumer 
focused. But don't let that dampen your 
expectations for its future. In October 2008, 
at its Professional Developers Conference 
(PDC) 2008, Microsoft will release the first 


version of its Live 
Mesh Software 
Development Kitto 
developers, and the 
company expects 
Live Mesh to form 
the basis for a new 
generation of soft¬ 
ware services that 
will provide value 
across all of its cus¬ 
tomer segments. Most tellingly, perhaps. Live 
Mesh is seen as a major platform initiative, 
akin to Windows, Windows Server, and Office, 
which will drive users towards cloud comput¬ 
ing in the coming years. 

Even now. Live Mesh's remote desktop 
and folder sharing functionality is sure to 
prove interesting to small and medium¬ 
sized businesses. And though true enterprise 
management of these and other coming 
services is currently only on the horizon, it's 
not hard to imagine that Microsoft will begin 
incorporating Mesh-based services in all of 
its product lines. 

Recommendations 

Live Mesh is, perhaps, the most forward- 
looking project to emerge out of Redmond 
since the first version of Windows NT back 
in 1993. As with NT, Live Mesh is a repudia¬ 
tion of past software initiatives at Microsoft 
and a chance to start over with a modern 
platform that's unburdened by the compat¬ 
ibility issues facing its mainstream comput¬ 
ing platforms of the day. Live Mesh works 
with and integrates into core Microsoft 
solutions such as Windows, of course. But it 
also can stand alone as a cloud computing 
platform that offers value far beyond the 
confines of the software giant's core mar¬ 
kets. In the enterprise. Live Mesh is currently 
more vision than reality, but developers 
especially should become familiar with the 
platform as soon as possible. Stay tuned: As 
Microsoft evolves this platform into some¬ 
thing more applicable to IT needs. I'll keep 
you informed. ^ 
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Minasi 

"Netsh lets you assign a static 
IP address or get IP information 
from a DHCP server." 



Fine-Tune Server Core's IP Stack with Netsh 

A familiar tool helps you do the necessary tinkering 


I f you're like me, you're excited about the prospect of Server 
Core, Windows Server2008's GUI-less alternative. In this space. 
I've tackled a few aspects of Server Core configuration. Now, it's 
time to get Server Core's network stack set up. To do that. I'll use 
Netsh, a tool that I've described in the past but that's changed 
enough to warrant a new look 

IP and DNS 

Netsh can accomplish many tasks, and one of those is to set a system's IP 
address and DNS servers. Like the IPv4 Properties GUI thatyou'U find in 
the full Server 2008 installation, Netsh lets you choose to either assign a 
static IP address or get IP information fi-om a DHCP server. Using DHCP 
makes for a simpler command, so let's start with that: 

netsh int ip set address “<adapter nanie>” dhcp 
[store=active|persistent] 

The useful store= parameter is new to Server 2008 and Windows 
Vista—store=active makes this change to the TCP/IP stack but undoes 
it at the next reboot, and the default store=persistentmakes the change 
permanent. For example, to configure a Server Core system to get an 
IP address for an Ethernet adapter from a DHCP server, you'd type 

netsh int ip set address “local area connection” dhcp 

DHCP is the default setting, so it's more likely thatyou'U want to set 
a static IP address. To do so, assemble a Netsh command as foUows: 

netsh int ip set address “<adapter name>” static <IP 
address> <netmask> [<gateway IP address> [<nietric>]] 
[store=active|persistent] 

Notice that the gateway is now optional. Some older versions of Netsh 
complained if you left the default gateway's IP address off a Netsh com¬ 
mand. For example, to assign a static IP address of 192.168.2.2 on a /24 
network with a default gateway address of I92.I68.2.I, you'd type 

netsh int ip set address “local area connection” static 
192.168.2.2 255.255.255.0 192.168.2.1 

Here, I specified a default gateway but not a gateway metric; again, 
earlier versions of Netsh wouldn't have aUowed that. Also, I specified 
the network interface's entire name—"local area connection." Previ¬ 
ously, I've advised people to shorten "local area connection" to "local" 
to save typing time and to avoid the need for quotation marks, but I fear 


that the days of abbreviating network interface names are gone forever. 
Server 2008's insistence on IPv6 means that every NIC has at least one 
tunnel adapter vAth a name such as "local area connection 8." There¬ 
fore, you must specify the fuU adapter name of "local area connection"; 
otherwise, Netsh might get confused and assign that IP address to your 
tunnel adapter rather than the NIC for which you intended it. 

First, Second, Third... 

FinaUy, you'U want to specify one or more DNS servers' IP addresses 
that your Server Core system can use for resolving names. Netsh can 
do that, but the syntax is a bit unexpected: You use netsh int ip set dns 
to set the preferred DNS server and netsh int ip add dns to specifyyour 
additional choices. The syntax for setting the first DNS server is easier 
than for setting the IP address: 

netsh int ip set dns “<adapter nanie>” static <IP address> | dhcp 

For example, to give your Server Core system a preferred DNS server 
with an IP address of 10.50.50.4, you'd type 

netsh int ip set dns “local area connection” static 10.50.50.4 

To add subsequent DNS servers to search, you'd use the syntax 

netsh int ip add dns “<adapter name>” <IP address> 

No static keyword is necessary in this command; you can't tell 
your system to accept a statically assigned, preferred DNS address 
but then get the subsequent DNS server IP addresses from DHCP. So, 
for example, to tell your Server Core system to look to the DNS server 
at I0.50.50.I when the DNS server at 10.50.50.4 doesn't respond, you 
would type 

netsh int ip add dns “local area connection” 10.50.50.1 

Assemble a Batch File 

By now, you're pretty far along in the process of setting up your Server 
Core system. I recommend assembling a batch file that contains all your 
setup commands—it would be a great tool either for rebuilding after a 
disaster or building a test network that parallels your real network! 

InstantDoc ID 98969 
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Otey 

"Without a doubt, the coolest 
command-line tool in Server 
2008 is ServerManagerCmd" 




Command-Line Tools in Windows Server 2008 

Manage servers, make backups, and customize your system with these great tools 


ike every release of the Windows Server OS before it, Win¬ 
dows Server 2008 includes a set of new command-line 
tools, some of which come from previous resource kits or 
support tools and others are new. Although Server 2008 
includes Windows PowerShell, none of these new com¬ 
mands are PowerShell commands. For a complete list of 
commands in Server 2008, you can download the Windows Com¬ 
mand Reference from Microsoft's Web site (https://www.microsoft 
.com/downloads/details.aspx?FamilylD=5fb255ff-72da-4b08-a504- 
Ibl0266cf72a). Here are my favorite new commands in Server 2008. 

Odist —Microsoft added the command-oriented Server Core 
as an installation option for Server 2008, and it has its own 
commands. Odist queries the installed roles on your Server 
Core system. To list the status of all Server Core roles, you can run 
the command 

ocliSt 

O Ocsetup —The Ocsetup command is used to install and 
remove roles and features from a Server Core system. The fol¬ 
lowing example shows how to add the DHCP Server role: 

start /w ocsetup DHCPServerCore 

O Bcdedit —Like Windows Vista, Server 2008 uses a new boot 
process that saves the system boot configuration in the Boot 
Configuration Data (BCD) store. The primary tool for editing 
Server 2008's BCD store is the Bcdedit command, which supports 
many command-line options. To list the contents of the store, run 

bcdedit /enum 

O leads —The leads command replaces the older Cads and 
Xacls commands, leads lets you list, update, and back up the 
ACLs for files and directories. The following example shows 
how you can save the ACLs for the C:\temp directory: 

icacls c:\temp /save tempacl 

O Mklink— The Mklink command creates a symbolic link in the 
file system that redirects all requests to a location you specify. 
Symbolic links are transparent to users, appearing as normal 
files or directories. The following example shows how to create a 
symbolic link named alsotemp for the C:\temp directory: 

mklink /d alsotemp c:\temp 


O Robocopy —K staple in the Windows Resource Kit for years, 
Robocopy is more capable than the standard Windows Copy 
and Xcopy commands, and it's able to resume after network 
outages as well as correctly copy file attributes, alternate streams, 
and security information. The following example shows how to use 
Robocopy to create a mirrored copy of the MyData directory and all its 
subfolders on the share named Backups on MyServer: 

robocopy "C:\MyData" "\\MyServer\Backups" /MIR /R:2 /NP 

O Wbadmin —Wbadmin is used for Server 2008 backup and 
restore operations. The following example shows how to 
use Wbadmin to perform a full system backup to the share 
named Backups on MyServer: 

wbadmin start backup -backuptarget \\MyServer\Backups 
-allCritical -vssFull 

O WinRS —The AAfinRS command lets you open a secure com¬ 
mand window with a remote host. All communications 
between the client and the host are encrypted using Kerberos 
or NT LAN Manager (NTLM) keys. The following example connects to 
the server named MyServer and displays the command shell: 

winrs -r:MyServer cmd 

O Appcmd —Appcmd.exe is a new command-line tool that can 
be found in the \%WinDir%\System32\lnetSrv directory. 
Appemd is used to query, create, and configure Microsoft IIS 
7.0 server properties, Web sites, and application pools. To list all sites 
on the system, you can use the following command: 

appemd list sites 

O ServerManagerCmd —^AMthout a doubt, the coolest command¬ 
line tool in Server 2008 is ServerManagerCmd.exe, which 
is the command-line version of the new Server Manager. 
This command essentially lets you script all of the Server Manager 
actions. To list all the installed roles and features on a Server 2008 
system, you can enter 

servermanageremd.exe -query 
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Finally, Affordable Enterprise-Class Archiving 


Introducing Sunbelt Exchange Archiver. Sunbelt 

Exchange Archiver (SEA) is a robust new product which 
delivers real enterprise-class email archiving, at a price that 
won’t break your budget. Get comprehensive legal and 
regulatory compliance. Reduce your Exchange storage by 
up to 80 %. Securely store emails on your choice of media, 
using the built-in Hierarchical Storage 
Management. And, find archived emails 
rapidly with full-text search for e-discovery 
or compliance. 


Up to 80% smaller message store. With SEA, you’ll 
dramatically reduce your Exchange storage. The benefits are 
clear: faster backup times, better Exchange performance, 
and faster recovery. 


Compliance, e-Dlscovery, and legal 
readiness. If you need to archive emails 
for regulatory or legal reasons, SEA has 
you fully covered. Emails are stored in 
their original form, in whatever secure 
media you prefer, with complete flexibility 
on retention. Need to find an archived 
email? Simply use SEA’s powerful 
integrated full-text search of emails and 
attachments, and you’ll be ready at a 
moment’s notice for e-discovery or legal 
requests. 

Seamless end-user experience. SEA 

is fully transparent for your users, whether 
they’re running Outlook, OWA, Blackberry 
devices or even Entourage on the Mac - with 
no special client software needed. Trusted 
end users can be delegated granular authority 
with the included web-interface or optional Outlook 
add-in. They can do off-line synchronization, and search, 
edit, forward, move or delete archived emails. 


"Exchange performance 
is suffering. Your users 
complain about email 
storage. Your CEO wants 
legal compliance. 

Now what?" 


Journaling not required. It’s a fact that using the 

Exchange Journaling mailbox for archiving 
dramatically affects server performance. 
With SEA, Journaling is an option - the 
program’s breakthrough Direct Archiving 
feature stores all emails immediately after 
they are received, keeping load off the 
Exchange server. 



No more PST headaches! SEA gets 

rid of pesky PST files that are a major 
admin headache. SEA automatically finds 
them, imports them, and makes them part 
of your user’s archive. 

Great for disaster recovery. No 

matter where you email is stored, business 
continuity is assured with SEA. Using the 
included web client, users can continue to 
see and use their email even if Exchange is 
down. 

Archiving’s time has come for 
everyone. Contact us today and see how 
SEA solves your legal and compliance 
headaches and immediately improves the performance of 
Exchange - while saving critical budget dollars. 



Sunbelt Software 


Get a Free Quote and See How Cost-effective Sunbelt Exchange Archiver Really Is! 

Email sales@sunbeltsoftware.com or call 888-688-8457 


Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 www.sunbeltsoftware.com sales@sunbeltsoftware.com 
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READER TO READER ■ 


ONLINE 

windowsitpro.com 


Be Part of a Windows IT Pro 
Cover Story 

The Reader to Reader (R2R) section is writ¬ 
ten for IT pros by IT pros. That's what makes 
it such a hit among Windows IT Pro readers 
and Web site visitors. To showcase the 
talent and creativity of these IT pros, we're 
planning to feature the most interesting 
R2R write-ups in a cover story. 

So, if you've come up with a creative 
shortcut, solved a plaguing problem, 
turned a tedious task into an effortless one, 
or come across information other IT pros 
should be aware of, let us know about it. 
You don't need to be a skilled writer. We 
have editors who will turn your write-up 
into polished prose. All you need to do is 
tell us in 1,000 words or less what prompt¬ 
ed you to come up with the shortcut, solu¬ 
tion, or streamlined task and how it works. 
If you're sharing information, let us know 
how you came across that information. You 
can send your R2R write-up (or write-ups if 
you'd like to send more than one) to r2r@ 
windowsitpro.com . 

We'll be sending all the R2R write-ups 
we receive in the next few months to our 
technical editors, who will decide whether 
to accept them for publication. A panel will 
then review all the accepted R2R submis¬ 
sions and select the most interesting write¬ 
ups for the cover story. The accepted R2R 
write-ups that aren't selected for the cover 
story will be printed in the R2R section in 
future Windows IT Pro issues. Whether an 
R2R write-up is part of the cover story or 
printed in the R2R section, the author will 
receive $100 when it's published. 

Send your R2R write-up to us today! 



The second release of the Community 
Technology Preview (CTP) of Windows 
PowerShell 2.0 is now available for 
download from www.microsoft.com/ 
technet/scriptcenter/topics/winpsh/ 
pshell2.mspx. 


■ Cover Story ■ Speed Up Queries 

■ DCOM Errors 


SOLUTIONS FROM YOUR PEERS 


Use Dcomcnfg.exe to Stop DCOM 
10000 and 10005 Errors 

In event logs, you can sometimes get errors 
that mention DCOM as a source. Usually, 
the event ID is 10000 or 10005 and the 
error message reads something like: The 
server <a class's ID goes here> didn't register 
with DCOM within the required timeout. As 
a result, you might experience problems 
starting or using an application or service 
on that computer. Usually, the problem is 
created by a corruption in DCOM's class 
database. 

A tool that might solve the problem is 
dcomcnfg.exe, a built-in Windows utility 
that lets you configure DCOM settings in 
the registry. One way you can access it is 
to select Run on the Start menu, type 
dcomcnfg, and click OK. You can also access 
it through Administrative Tools, Compo¬ 
nent Services. 

In the Component Services window 
that appears, navigate to Component 
Services, Computers, My Computer, DCOM 
Config. Highlighting the DCOM Config 
folder fetches a list of all the DCOM objects 
on your machine. (You might experience a 
short delay during this time.) Besides fetch¬ 
ing the objects, dcomcnfg.exe detects any 
missing registration. If the utility detects 
any, it will ask you whether you want to reg¬ 
ister that component with DCOM. Click Yes. 
You might be asked this question several 
times if the utility detects more than one 
unregistered component. Afterward, you'll 
be able to see all the registered DCOM 
components. 

You can then 
close dcomcnfg 
.exe and check 
to see whether 
the problem 


disappeared. Curiously, sometimes the 
problem gets fixed, but if you re-open 
dcom-cnfg.exe, you're prompted again for 
registration. 

Note that the dcom-cnfg.exe utility 
doesn't solve 
all DCOM 
problems, but 
you have a 
good chance 
of solving 
a problem 
by spending 
no more than 
a few seconds 
to perform the 
procedure just described. Also note that 
after any change in DCOM, Microsoft rec¬ 
ommends that you reboot your computer. 

—Apostolos Fotakelis, systems administrator, NATO, 
and freelance IT consultant 
InstantDoc I D 99190 

How to Significantly Speed Up 
Tasks That Involve Querying 
Computers 

Windows Management Instrumentation 
(WMI) scripts that query multiple com¬ 
puters often take an inordinate amount 
of time to run due to computers being 
offline. However, you can dramatically 
speed up these types of scripts by using 
the PowerShell statement in Listing 1. Like 
many useful PowerShell statements, this 
statement is kind of long. That's okay. As 
Larry Wall, the father of Perl, said back in 


Listing 1: Inline Where-Object Test That Checks Machines for Ping 
Responses 


Where {(Get-WmiObject Win32_PingStatus -Filter "address=' 
).StatusCode -eq 0} 
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■ READER TO READER 


1990 when he was in a similar situation, 
"You want it in one line? Does it have to fit 
in 80 columns?" 

A network query to an inaccessible 
remote machine can take up to a minute to 
time out on its own. As an example of how 
significant this is, consider the 180-system 
LAN I work with. Many of these systems 
are mobile or simply not turned on all the 
time, so the typical peak daytime count of 
connected systems is roughly 100. A WMI 
script that asks each system whether it 
has a particular patch installed only takes 
about 3 seconds per machine to run, or 
about 5 minutes for all the successful que¬ 
ries. However, the script actually attempts 
to connect to every single IP address on 
a private class C subnetwork (i.e., 254 
nodes). This means that timeouts caused 
by the approximately 150 nonresponsive 
addresses add about 2 hours to the script's 
run time—roughly 45 to 55 seconds for 
each offline system the script attempts to 
contact. With the statement in Listing 1,1 
can determine which machines are online 
and check for the patch only on those 
machines. As a result of this technique, the 
script executes in well under 10 minutes. 

This technique is so useful, that I turned 
the statement in Listing 
into a script for 
easy use. Before 
I tell you how 

I 




Alex K. 

Angelopoulos 


to obtain and 
use this script, 
though, I want 
to walk you 
through how 
the statement 
works because 

it demonstrates many useful features in 
PowerShell. 

The statement in Listing 1 uses Power- 
Shell's Where-Object cmdiet (represented 
by the alias l/l/here). The Where-Object 
cmdiet is a generic filter. Just like any other 
filter, it's designed to remove items you 
don't want. 

The heart of any Where-Object filter is the 
code surrounded by braces {}. Where-Object 
evaluates the code within the braces and 
attempts to turn any result of the code into 
a true or false statement. If the statement 
evaluates to true, Where-Object passes the 
current object down the pipeline. If the 
statement evaluates to false, Where-Object 


Listing 2: Example Usage of the Where-Object Test 


'srv01","192.168.1.254","www.penton.com","1ocalhost" | 
Where {(Get-WmiObject Win32_PingStatus 
).StatusCode -eq 0} 


silently drops the current object. 

Within the braces is the following com¬ 
mand: 

(Get-WMIObject Win32_PingStatus 
-Filter "address=' 

This command uses the Get-WMIObject 
cmdiet, which you can use to access WMI 
classes and their data. In this case, the 
Win32_PingStatus class is being accessed. 

You might be wondering about the $_ 
notation in the Get-WMIObject command. 
The current object in the pipeline is substi¬ 
tuted everywhere you see $_ in braced code 
in PowerShell. So, for example, if the current 
object is srvOI, the code "address='$_"' 
becomes "address='srv0V". In this case, the 
Get-WMIObject command is the same as the 
WMI query 

SELECT * FROM Win32_PingStatus _ 
WHERE address='srv01' 

No matter whether you use the Get- 
WMIObject or WMI query, Win32_Ping- 
Status returns an object. This object's 
StatusCode property contains a numeric 
code that tells you whether the ping suc¬ 
ceeded. If the property's value is 0, the ping 
succeeded and you'll be able to access that 
remote machine. If the property's value is a 
non-zero value, you won't be able to access 
the remote machine. (There are several 
possible non-zero values; all the non-zero 
values generally mean the remote machine 
is unavailable or has network connectivity 
issues. You can find the non-zero values 
documented at msdn2.microsoft.com/ 
en-us/library/aa394350(VS.85).aspx.) 

The Where-Object statement allows 
only those machines whose pings return a 
status code of 0 to pass through. Listing 2 
demonstrates this. In this code, I piped four 
computer names—srvOI, 192.168.1.254, 
www.penton.com, and localhost—into 
the Where-Object statement for testing 


Filter "address=' 


Listing 3:Test-IPNode.ps1 


process { 

$_ I Where {(Get-WmiObject Win32_PingStatus 
-Filter "address=' 

).StatusCode -eq 0} 

} 

purposes. Note that: 

• My local network doesn't contain a com¬ 
puter named srvOI. 

• I have a network appliance at 
192.168.1.254. 

• The Penton Web server ignores public 
ping requests. 

• My desktop system responds to queries 
for localhost. 

When I executed the code in Listing 2 in 
the PowerShell console on my machine, the 
output contained only 192.168.1.254 and 
localhost, as Figure 1 shows. Where-Object 
correctly dropped the computers that 
didn't respond to the ping request. 

As I mentioned previously, the Where- 
Object statement is so useful that I turned 
it into a script,Test-IPNode.psI, for easy use. 
Listing 3 shows this script, which you can 
download by going to www.windowsitpro 
.com, entering 99222 in the InstantDoc ID 
box, clicking Go, then clicking the Down¬ 
load the Code Here button. 

To useTest-IPNode.psI, save the script 
somewhere in your Windows search path. If 
you save it elsewhere, you need to explicitly 
specify the path to the script to run it. To 
quickly ping the remote machines named 
srvOl and srv02 and only get back the nodes 
that respond, you would run it like this: 

"srv01","srv02" | Test-IPNode 

I want to thank James Lim for plant¬ 
ing the idea that grew into Test-IPNode. 
psi. As Jim noted in his Reader to Reader 
article "PowerShell Script Lets You Check 
Patches'Status" (January 2008, InstantDoc 
I D 97609) , it's important to learn to apply 
PowerShell to current problems. By apply¬ 
ing PowerShell, I was able to 
come up with a short, simple 
script that I can use to speed 
up virtually all tasks that 
query individual network 
nodes. 

—Alex K. Angelopoulos, 
senior network engineer 

InstantDoc ID 99222 


■: -siofi^KSl 



18 JULY 2008 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 


















ASK THE EXPERTS ■ 



■ Internet Explorer 

■ Virtualization 


■ Security 


Q: How secure is virtual machine 
(VM) technology when VMs 
of different organizations or 
untrusted users are being hosted 
on the same host system? We're 
considering contracting for a 
virtual server instead of dedicat¬ 
ing a server for our Web site. 

A) The answer to your question depends 
partly on the VM software that's used (e.g., 
Microsoft Virtual Server or VMware's GSX or 
ESX product). Recently, Microsoft released 
security bulletin MS07-049 (www .microsoft 
.com/technet/security/bulletin/MS07-049 
.mspx) regarding its Virtual PC and Virtual 
Server products. The vulnerability addressed 
by the bulletin lets administrators in one 
guest VM gain administrator authority 
on the host server. (For some reason, this 
bulletin was rated as Important instead of 
Critical, which I disagree with because se¬ 
curity architects rely on insulation between 
guest VMs and the host.) Installing a security 
update or upgrading to the most recent 
versions of Virtual Server and Virtual PC fixes 
the vulnerability. 

However, guest VMs are gener¬ 
ally very insulated from one another 
and can—from a security point of 
view—be treated the same as physical 
computers with the following caveat: 
You're depending on the honesty and 
security practices of the administrators 
of the host system. For example, if the 
administrator of the host system fails 
to load patches to the VM software, 
guest VM administrators can exploit 
the unpatched host, break out of their 
VM, and gain administrator authority to 
the host system. Also, all guest VMs are 
vulnerable to rogue host administrators. 
Host administrators have the equivalent 
of physical access to the guest VMs, and 
according to the so-called immutable 
laws of computer security, anyone with 
physical access to a system can break 
into the system. Note that hackers are 
now building malware that can detect if 
the malware is running on a VM. 

—Randy Franklin Smith 

InstantDoc ID 99094 


ANSWERS TO YOUR QUESTIONS 



Q: How can I change the Microsoft 
Internet Explorer (IE) quick-com¬ 
plete string? 

A: If you open IE and type"ntfaq"into 
the address bar, then press Ctrl-FEnter, the 
"http://www."and ".com"are automatically 
added to the text—the result being http:// 
www.ntfaq.com.You can change the registry 
to modify the pre-text and post-text addi¬ 
tions. To do so, follow these steps: 

1. Start the registry editor (regedit.exe). 

2. Navigate to the 


Q: What are VMotion and 
Dynamic Resource Scheduler 
(DRS) in VMware? 

A: VMware's ESX software supports VMo- 
tion technology, which allows a running 
virtual machine (VM) to be moved between 
ESX servers without having to stop the 
virtual instance and without the VM missing 
a beat in terms of traffic. 

DRS uses VMotion capabilities to al¬ 
low multiple physical ESX servers to be 
grouped as one resource pool of memory 
and CPU. This allows virtual instances 
within a DRS cluster to be dynamically 
moved between the members of the DRS 
cluster to balance resource usage with 
no downtime to the virtual instances. 

The level of automation of the move¬ 
ment between servers depends on the 



Figure 1: Changing IE's quick-complete string 


HKEY_CURRENT_USER\ 

Softwa re\M i crosoftX 
Internet ExplorerX 
Toolbar registry key. 

3. Open the Edit menu, 
and select New, Key. 

4. Enter QuickComplete. 

5. Under the new key, 
create a String value by 
entering New, String 
Value. Name it QuickComplete and 
press Enter. 

6. Double-click the new value and set it 
to "www.%s.net" if you want .net to be 
the default extension, and click OK. 

You don't have to restart IE for the change 
to take effect. 


automation level selected (which allows 
only suggestions for where to move virtual 
instances): Partially Automated moves 
virtual instances only at power-on time, 
and Fully Automated automatically moves 
virtual instances according to a selected 
threshold (based on the move's recom¬ 
mendation level). ^ 


—John Savill 

InstantDoc ID 99092 


—John Savill 

InstantDoc ID 99093 
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COVER STORY ■ 




M any organizations are still ponder¬ 
ing whether and when to deploy 
Windows Vista. With the recent 
release of SPl, those who were 
planning to “wait for the first 
service pack" might soon be 

taking the plunge. 

Before they do, however, they'll probably reach 
out to other admins who have already deployed 
Vista for a heart-to-heart about the experience. 

When you're going somewhere you've never been 
before, you'd like to be able to get there without 
running into detours, roads under con¬ 
struction, and bridge trolls. Hearing 
from others who have made the trip 
before you will help you know what 
landmarks to look for and plot alterna¬ 
tive routes around problem areas. 

My organization recently deployed Windows 
Vista Business, and I might be able to help you enjoy your 
trip to the same destination by sharing two things. The first is the 
positive experiences of our deployment. Maybe you can expand upon our 
experiences and make your deployment all the better. The second and perhaps more 
important is what I wish I'd known beforehand or spent more time on in research, during 
testing, or both. 


The Positives 

Overall, our implementation went extremely well, despite the bad press that Vista's received. 
We feared that the publicity would prejudice our users to think that “Vista is bad" before 
we even began—and it did, but our deployment went well enough to allay any initial user 
pushback. The things we did right included replacing all PCs, showcasing the new systems 
at a company meeting, and investing in an extended warranty with onsite service. 

New hardware. One of the first decisions we made that, in hindsight, was a good one, 
was to lease brand-new equipment, both monitors and computers, rather than upgrade 
our existing systems. There were two reasons for this decision. First, many of our existing 
machines were simply incapable of running Vista even if we upgraded them—most were 
four- or five-year-old IBM NetVistas with 256MB of RAM and integrated graphics. Second, 
many of the machines had outlived their useful service life and their components were 
beginning to fail. One benefit of Vista that we proclaimed to our users was the Aero interface. 



Avoid some of 
the bridge trolls 
on the road to 
Vista 

by Michael 
Dragone 

ILLUSTRATION BY 
RYAN ETTER 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro JiSrYOTliE 






■ VISTA DEPLOYMENT 


especially the Flip 3D feature. We wanted 
our users to have the best Vista experience 
possible, and that couldn't happen with the 
equipment we had in service. 

Identical equipment under excellent 
warranty. Our existing systems had been 
purchased through several different chan¬ 
nels in an attempt to obtain the best price at 
the time. The result was a mishmash of war¬ 
ranty coverage that ranged from one to three 
years for different PCs. When a component 
such as a power supply failed, we often had 
to buy a replacement part out of pocket 
rather than have it replaced under warranty. 
Even systems that remained under warranty 


didn't have on-site support coverage, which 
caused us to spend a considerable amount 
of time repairing failed systems. 

For our Vista deployment, we made sure 
that all our new equipment was identical in 
everyway, shape, and form. We also obtained 
a warranty that includes next-business-day 
onsite service for the length of the lease, which 
let us easily swap components and replace 
faulty components and machines almost 
immediately. This warranty has already paid 
for itself half a dozen times. 

All the new computers support dual 
monitors out of the box. Previously, when 
a user requested and received approval for 


dual monitors, we had to open the user's 
machine and install a video card and driv¬ 
ers. Now we simply plug in a new monitor, 
which is a huge time saver for us and for the 
user. Ensuring that machines support dual 
monitors might just be common sense, 
but 1 wish that someone who had more 
common sense than 1 did at the time had 
reminded me of it four years ago when we 
were deploying Windows XP. 

Standard image. Our primary piece 
of software is a .NET Web application, so 
our most valued Microsoft application is 
Internet Explorer (IE). Our users also run 
Microsoft Office, with Adobe Reader round- 


■ IT PRO HERO 

A Smooth Windows Vista 



In the media business, take¬ 
overs and mergers occur fre¬ 
quently. One such merger and 
acquisition, between Penton 
Media and Prism Business 
Media, proved an opportunity 
for a small IT department to 
migrate the newly united com¬ 
pany from Windows XP and 
Windows 2000 to Windows 
Vista and the Microsoft Office 
2007 product suite. Recently, 
three of the key Penton IT 
pros who labored behind 
the scenes—senior network 
engineers Brent Mammen and 
Chris Ripkey and senior net¬ 
work architect Lucas Smith- 
spoke with several Windows IT 

Pro editors about their experience migrating the new Penton Media to 
Vista. Would they have done some things differently? Yes. Are they glad 
they migrated? Definitely. Did it go perfectly? Of course not—but the 
good news is, there were no show-stoppers in the migration, either. 

Ql What factors drove the move to Vista? 

CR ! One of the biggest reasons was that we wanted to have a uni¬ 
fied platform between the two companies. The old Penton side was 
on XP for a while. The Prism side had a lot of old hardware and ran 
Windows 2000 Professional for eight years. A lot of us [in IT] had been 
using Vista [already], and we saw that it offered many benefits from 
the Group Policy standpoint. Finally, XP was going to be sunsetted 
in a couple years. 


Penton Media IT team members Brent Mammen, Lucas Smith, and 
Chris Ripkey 


Members of 
Penton Media's 
IT team give a 
blow-by-blow 
account of 
their successful 
Windows Vista 
migration 

BM ! Half of the company needed to 
be migrated to a new email platform, 
and the other half was undergoing a domain 
migration as well as a PC refresh cycle. We 
didn't want to have to revisit our desktop base a year or two down the 
road for another upgrade. It also seemed to make sense from a support- 
ability perspective to have the majority of the clients on the same OS. 

Ql How many machines did you migrate from XP to Vista? 

BM, LS ! Penton has a little over 1,700 managed desktops in its 
enterprise, and we've migrated around 700 machines so far. 

CR ! There are still some XP machines hanging around because of 
Office 2007's lack of compatibility with our Oracle Financials applica¬ 
tion and the Oracle ADI plug-in for Microsoft Excel. Business manag¬ 
ers within Penton use the Oracle ADI plug-in to download financial 
reports into Excel. The issue as I understand it is you can't deploy 
anything later than Microsoft Office 2003 and use the ADI plug-in. 
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ing out the software suite that 90 percent of 
our users rely on. The remaining 10 percent 
use a handful of specialized applications, 
but not everyone in that 10 percent uses the 
same applications. 

As a result of our users' application 
needs, we decided to build one Windows 
Imaging Format (WIM) image and deploy it 
to all users. For users who were in the "spe¬ 
cial 10 percent," we either installed the spe¬ 
cialized applications manually or deployed 
them through Group Policy. This approach 
was very successful, allowing us to create an 
image that requires less maintenance long¬ 
term as the applications are upgraded. 


Separate OU for Vista machines. For 
our Vista machines, we created a new 
organizational unit (OU) and Vista-spe¬ 
cific Group Policy Objects (GPOs) that we 
linked only to that OU. This approach let 
us test aU new Vista-specific settings and 
make changes to them without affecting the 
installed base of XP machines. By letting us 
modify settings on only the new machines 
and quickly see the results in production, 
the new OU and GPOs had already paid for 
themselves by the time we'd finished our 
initial 20-machine rollout. 

Introduction of new systems. At a com¬ 
pany-wide meeting, we showcased the new 


equipment and some of the new features of 
Vista and Microsoft Office 2007, such as Flip 
3D and the Ribbon. A big highlight was our 
demonstration of the monitors, which are 
able to rotate into a vertical position. At least 
60 percent of our users have elected to keep 
their monitors in this position because it 
gives them more screen real estate for read¬ 
ing long documents. The public demonstra¬ 
tion gave our users the opportunity to ask 
questions and let us present the timetable 
for rolling out the new systems, but the big¬ 
gest benefit of the introduction was that it 
excited users and management and brought 
them on board with the Vista deployment. 


Migration Is Possible 


Ql Did you use third-party migration tools? 

BM I We didn't really rely on outside tools. In our case, most of the 
machines were bare-metal builds. Microsoft utilities such as User State 
Migration Tool and the Microsoft Application Compatibility Toolkit 
were very helpful. Our company had used Preboot Execution Environ¬ 
ment with Remote Installation Services to deploy PCs in the past, so 
upgrading to the new Windows Deployment Services (WDS) to push 
out our Vista Windows Imaging Format images wasn't a huge stretch 
for our desktop team. 

Ql What steps did you take in migrating? 

CR ! The first piece that I worked on was building the image, then try¬ 
ing to figure out the applications to put on it. I also worked on getting 
the Microsoft Office Communicator infrastructure set up. One of the 
major steps that Brent worked on was setting up Microsoft Forefront 
Client Security. Lucas worked on a lot of back-end server and Group 
Policy configuration. Brent and I worked a lot on WDS and how to get 
the Images installed on the WDS server. We had a lot of new prod¬ 
ucts to deploy. We all worked on individual pieces of the puzzle and 
brought it all together in the desktop image. 

Ql What strategies worked for you? 

BM I We were under a deadline to upgrade a large number of offices 
in a short time span. When we arrived at each office, everything had to 
be sequenced just right. We did things like scheduling employees fora 
day of offsite training while we upgraded their systems, migrated their 
email, and moved any local files to their new systems so that they'd 
be fully functional the next business day. We could always do more 
testing, piloting, and research before the migration, time permitting. 
And automated software inventories are always good, but nothing 


beats sitting down with the end users and actually determining how 
they use their systems. 

CR \ You need good documentation and good software and hard¬ 
ware inventory before you start the migration. 

LSl One of the big things that made it better for our end users was 
the training. The Vista learning curve wasn't that big, but the Office 
2007 learning curve was huge. 

Ql Did the migration go according to plan, or were there kinks in 
the process? 

BM I Actually, we had more issues with Office 2007 compatibility 
than we did with Vista. A surprising number of applications interface 
with the Office suite, and the jump from Office 2003 to Office 2007 
is a big one. 

LSl For a successful deployment, you have to do plenty of testing. 
I wish we'd had more time for testing, but [because of] where our 
company was [in its migration timeline], we didn't have that time. 
Some of the problems were around Group Policy. For example, we 
have a lot of home users, and we didn't have the time to test their 
different scenarios. This caused slow-logon issues for some of the 
users because of synchronization problems. 

InstantDoc ID 99096 


Read an expanded version of this article at www 
.windowsitpro.com, InstantDoc I D 99096. 
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(cmarwitz@windowsitpro.com) is an associate editor for Win¬ 
dows IT Pro and SQL Server Magazine, specializing in Active 
Directory, Group Policy, and desktop management. 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro JULY 2008 23 



















h>ssisS5sss5 


BUI®*®-* 

'SSS'S'lSSSosSS®*® 
i^^SSissSS^^S 

(19 ® ® a a I® _ 

I ® ^ s 0 ® ® ““ 0 S S <® 2 ' 
!SSS®sSSS®SS£5» 

'®2SSa®“S'SSS««& 

!2"SS»»ssSo-iSS 


SSSI-” 

s »®2 






hlisB Tl«9] 


: m; ■ nsTj 


111^1 Bn ^ a 



OFT.SYSTEM CENTER«DESIGNED FOR BIG 

-,„, '.«t 'jsi imj 1 ^;;^ 

ftfe r™i.,^M'»ESi » ^ nml 1.3 Eia 


jimalFiM! fell . 'rTl 
pi^i -ml ' '>«! ‘ 2 J 


' 1272!- 


134^1 


5^ 'joj ]^ 


I34ai '137^ 


h 15341 


[1342! 11376] 




^41|| 




Center is a family of 

_ J IT management solutions (including Operations ^ 

Manager and Systems Management Server) 15^ 

s designed to help you manage your mission- 

' : critical enterprise systems and applications. ^ 

ril^JI - — Nissan manages 56,500 PCs on three continents 

, ~ ■ with System Center. That's big. See Nissan and 

'-^iaS4ii ’ iv^l ; 1156' othercasestudiesatDesignedForBig.com 


.^15^ 


5^ m\ 


■ lOlO || ]Q^ I ID& 2 B In ' 1190 


Microsoft® 


System Center 


























■ VISTA DEPLOYMENT 


User-assisted testing. Our users know 
their applications far better than we in IT 
do. For example, although the accounting 
package installed and ran fine, the IT staff 
doesn't have the necessary permissions 
to perform many of the functions that the 
software offers. During the initial testing of 
the Vista WIM image, we invited users to 
spend some time doing their work in the 
IT department and tell us about any prob¬ 
lems they encountered. By inviting users to 
work with their software on the machines 
they'd eventually have, we resolved several 
problems before the systems were put into 
production. User involvement brought to 
light many concerns that we were able to 
eliminate before deployment and made the 
whole project proceed more quickly and 
smoothly than it otherwise would have. 

The Negatives 

None of the problems we ran into were 
show-stoppers, but we certainly would have 
liked to have known about all of them ahead 
of time. Fortunately, we were able to suc¬ 
cessfully deal with all our negative experi¬ 
ences, albeit not always as quickly as we 
would have liked. 

Discontinued equipment. Shortly 
after we ordered an initial batch of new 
machines, our supplier informed us that 
HP was discontinuing that model. The 
replacement had similar specifications but 
a different external appearance. We ordered 
as many of the original units as we could but 
were forced to switch to the other model for 
20 percent of our deployment. As a result, 
users who received the discontinued model 
experienced computer envy, thinking that 
others were getting newer computers and 
that theirs was instantly junk, or at least 
outdated. No amount of explaining that 
the specifications were virtually identical 
allayed that feeling. 

The lesson here is to always ensure 
that the equipment you want will remain 
available throughout the deployment. Had 
we known about the impending discon¬ 
tinuation, we'd have ordered the alternative 
model for everyone. The only reason we 
went with the original model in the first 
place was that it was slightly smaller and our 
users like to maximize their desk space. 

Printing woes. Initially we tried to use 
our existing print server, which contained 
only XP drivers, for Vista machines. That 


was a mistake. Several of the drivers were 
incompatible with Vista, which caused the 
print spooler on the Vista machines to crash 
on startup and was difficult to troubleshoot. 

To resolve the problem, we set up a new 
print server that contained only Vista driv¬ 
ers and which was used solely by our Vista 
machines. The new print server was a bless¬ 
ing in disguise, as we intend to retire the XP 
print server after the migration is complete. 

A warning here to folks who are familiar 
with Windows Server 2003 R2's print man¬ 
agement tools and XP's PushPrinterCon- 
nections.exe utility: As you probably know, 
Vista doesn't use PushPrinterConnections 
.exe to deploy printers via Group Policy. 
However, printers that are added to a GPO 
will be installed not only at system startup 
(as was the case with XP), but also at the next 
Group Policy refresh. 

This Vista-specific behavior hit us hard 
after we added a new printer model to the 
print server during the workday and our 
Vista machines attempted to automatically 
install the driver at the next policy refresh. 
The Help desk phone rang off the hook 
when users, none of whom run with Admin¬ 
istrator-level credentials, were unable to 
install the new driver and didn't know how 
to proceed. We were accustomed to adding 
new printer models to our print server and 
telling our users (who at that time were 
running only XP) to "restart if you need 
new printer XYZ." We liked the fact that our 
Vista users no longer needed to restart, but 
we certainly didn't want to give them all 
Administrator-level credentials. 

Fortunately, there is a solution to this 
glitch, and we should have found it sooner. 
When setting up our Vista GPOs, we took 
the time to go through all of the available 
settings, but we glossed over the Point and 
Print section (which is located under User 
Configuration\Administrative Templates\ 
Control Panel\Printers). This was a key tac¬ 
tical error. As we learned, you can mitigate 
this undesirable behavior by setting Point 
and Print Restrictions to Enabled and set¬ 
ting both When installing drivers for a new 
connection and When updating drivers for 
an existing connection to Do not show warn¬ 
ing or elevation prompt. (For details about 
how to prevent this Vista glitch from ruin¬ 
ing your day, download the Microsoft white 
paper "Point and Print Security on Windows 
Vista" atwww.microsoft.com/whdc/device/ 
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Learn about Microsoft's Vista deployment tools and 
how to use them: 

"What's the Windows Automated Installation Kit," 
InstantDoc I D 94524 

"WAIK Up: A First Look at Windows Vista Deployment 
Tools," InstantDoc I D 47447 

"Planning Your Vista Deployment with BDD," Instant¬ 
Doc ID_9^ 

"Using Deployment Workbench," InstantDoc I D 97170 

"Windows Vista Zero Touch Installations with BDD," 
InstantDoc I D 97441 

"Customizing Windows Vista Deployments," InstantDoc 
I D 47511 

"LetWDS Ease Your Vista Rollout Pain," InstantDoc 
ID 96098 


Read about others'deployment experiences: 

"Lessons Learned from a Vista Deployment," Instant¬ 
Doc ID_98^ 

MICROSOFT RESOURCES 

To learn about some Vista-related problems: 

"Error results when you run the'gpupdate /force'com¬ 
mand on a computer that is running Windows 
Vista:'User policy could not be updated success¬ 
fully,'" suggoryiiaosofLc^^ 

"User profiles are unexpectedly deleted after you 
configure the 'Delete user profiles older than a 
specified number of days on system restart'Group 
Policy setting on a Windows Vista-based com- 
puter," support.microsoft.com/?kbid=945122 


print/VistaPnPSec.mspx.) 

Group Policy surprises. A couple of new 
Group Policy settings in Vista caught us off 
guard. In our GPOs, we set the user Group 
Policy loopback processing mode to Merge. 
As a result, all users should have the same 
policy regardless of who they are or where 
they sit. But if you run Gpupdate with the 
/force switch, the Merge setting produces 
a hair-pulling error stating that Windows is 
unable to resolve the computer name. The 
Microsoft article "Error results when you run 
the 'gpupdate /force' command on a com¬ 
puter that is running Windows Vista: 'User 
policy could not be updated successfully'" 
(support.microsoft.com/?kbid=934907) 
documents the problem and provides a 
hotfix, which is also included in Vista SPl. 

Our users will often sit at a computer 
temporarily, and letting all those temporary 
profiles hang around wastes a lot of disk 
space. So we were thrilled to see a new Vista 
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GPO setting for deleting user profiles that 
remained unused after a specified number 
of days. As we discovered, however, the 
initial implementation of this feature has a 
bug. The feature counts the number of days 
since the profile was created instead of the 
number of days since it was last used. Panic 
ensued when the first users to receive Vista 
machines arrived at work one morning to 
find that their user profiles had been deleted. 
SPl fixes this problem, and a hotfix for pre- 
SPl systems is available in the Microsoft arti¬ 
cle “User profiles are unexpectedly deleted 
after you configure the 'Delete user profiles 
older than a specified number of days on 
system restart' Group Policy setting on a 
Windows Vista-based computer" (support 
.microsoft.com/?kbid=945122). 

IE Protected Mode. Vista includes Inter¬ 
net Explorer Protected Mode, which we 
happily put to use. We use GPOs to config¬ 
ure our internal application sites as trusted 
sites. In Vista, trusted sites work as expected, 
but sites that are not trusted open in a new 
IE process. Our users found this additional 


IE window to be confusing. To make them 
more comfortable, we expanded our list of 
trusted sites to include trusted vendors' Web 
sites, where our users spend a lot of their 
browsing time. We then did additional edu¬ 
cation to explain that users should consider 
one IE window the “work browser" and 
the other window the “non-work-related 
browser" for browsing sites such as Google. 

This IE Protected Mode experience leads 
directly to our most important observation. 

Insufficient user training. Our users 
grasped the Vista OS itself easily and quickly. 
But despite showcasing our new equipment 
at a company-wide event and involving our 
users in testing, we realized too late that we 
didn't provide enough training on the new 
machines, especially for Office 2007 and the 
Ribbon. Everyone in IT loved the Ribbon 
and found it easy to use, but our users— 
especially the power Office users—were lost. 
They immediately wanted to “switch back 
to the old way," which of course wasn't pos¬ 
sible. Although those folks learned the Rib¬ 
bon relatively quickly, they still lost hours of 


work by fumbling about the interface or by 
calling the Help desk for assistance. 

Bon Voyage! 

It's likely that you'll make the trip to Vista at 
some point. Rolling out Vista in an organiza¬ 
tion isn't a casual stroll in the park; it requires 
planning and research. 1 hope that some of 
the things we discovered will help your trip 
go smoothly, and 1 encourage you to talk 
to others who have already deployed Vista 
about their experiences before you deploy. 
There's no substitute for hands-on experience 
and adequate testing, and your users will 
appreciate the experience more if you involve 
them in the process as much as possible. 
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The Past, Present, and Future 

of Virtualization 


V irtualization is old. Really old. Nearly as old as 

electronic computing itself, and older than many 
of you reading this article. The idea of simulating 
multiple imaginary computers inside a single real 
computer occurred shortly after the invention of 
electronic data processors. Virtualization has been an effective 
amplifier of the benefits of computing for more than 40 years. 

Ironically, in that time many virtualization concepts have 
remained unchanged. The underlying technologies—for memory, 
processors, and storage—have improved dramatically. But the key 
concepts behind virtualization were so good from the beginning 
that they have undergone only incremental improvement. 

The attraction of virtualization was the same then as it is 
now: to save money. Computers were expensive to build, and 
virtualization promised to reduce the number of computers 
needed. Even the earliest computers spent a lot of time sitting 
around waiting for work. Virtualization was a way to let multiple 
projects share a single computer while keeping them fully isolated, 
improving utilization and lowering total cost of ownership. 

That is precisely the same reason anyone uses virtualization 
today. Understanding the history behind this powerful technology 
will let you better appreciate the nuances of its current incarnations. 
And knowing that it's all about money will let you foresee its 
demise. Because the minute virtualization stops saving money, it's 
all history. 

Genesis: The CP-40 Project 

The idea of using a single physical computer to simulate multiple 
imaginary ones dates back to the mid-1960s with an IBM research 
project called CP-40. Based on IBM's popular and revolutionary 
System/360 architecture, CP-40 let up to 14 instances of a client 
operating system run at one time, each instance behaving as if it 
had its own dedicated CPU, memory, and peripherals. 

The project required groundbreaking on three technological 
fronts before the system could get off the drawing board. The 
first of these is commonplace today: virtual memory. Multiple OS 
instances would require more real memory than could be provided 
at the time. Virtual memory simulates a large physical memory by 
reading and writing inactive portions of a smaller real memory to 
and from a backing store—at the time, magnetic disk and drum. 

The reading and writing process was termed swapping by IBM, the 
same term used today. 

On a second front, some means for switching control 
between virtual OS instances was needed, and for intercepting I/O 
instructions so that shared peripheral access could be managed. 
Privileged instructions were IBM's answer, in which virtual instances 
used a subset of the machine's instructions for the bulk of 
their work, but specific privileged instructions—generally those 
communicating with the outside world—would be intercepted by 
the hardware and handled in some other way. 

That led to the third front, the "some other way" for handling 
privileged instructions. IBM created a small set of service programs 
that ran outside all the virtualized operating systems, called the 


control program, or CP. It is, in fact, the CP in CP-40. The CP 
arbitrated shared access to disk and other peripherals, decided 
which virtualized OS would get control next, and managed the 
housekeeping for virtual memory. 

In 1966, CP-40 became, as HAL from 2001 A Space Odyssey 
would say, "fully operational." The guest operating system was 
not the famous OS/360, as historians might expect, but a special 
interactive system called the Conversational Monitoring System 
(CMS), co-developed by IBM and MIT at IBM's Cambridge Scientific 
Center (CSC) in Cambridge, MA. Each CMS instance was operated 
by a single person from a typewriter console, letting each person 
feel like he had his own personal computer. 

CP-40 ultimately evolved into CP-67, running on a specially 
designed System/360 variant called the S/360-67. Because the -67 
hardware would take some time to develop, CSC simulated the 
hardware in CP-40—the first time a VM hosted a different (albeit 
similar) machine architecture from the underlying hardware. In this 
simulated environment, CSC crafted the new version of CMS to 
run in CP-67. Within a few months the actual -67 machine arrived. 
Thanks to the virtualized development effort, CP-67 came online 
almost immediately. 

In 1972 IBM folded its CP-line research innovations into a 
powerful new commercial operating system named VM Facility 370, 
or VM/370 for short. This is the first commercial use of the term 
Virtual Machine; IBM chose to replace the term pseudo computer 
used in the CP-40. IBM also coined the term hypervisor as a generic 
replacement for Control Program, although IBM continued to use 
the CP term to refer to the VM/370 hypervisor. 

IBM jump-started its development effort once again, by 
virtualizing the System/370 hardware on the CP platform, speeding 
its path to a shipping product. Although IBM wasn't the only 
company working on virtualization ideas at the time (Boroughs was 
a notable competitor), it was the first to bring a product to market, 
giving IBM a competitive beachhead it would hold for many years. 

VM/370 Takes Care of Business 

In 1970 IBM created a successor machine to its System/360, called 
the System/370. But virtualization in the form of the VM/370 
operating system and virtualization hardware support (including 
virtual memory) didn't arrive until 1972. By this time IBM had a 
number of operating systems for both S/360 and S/370 hardware: 
OS/360, DOS/360, OS/370, DOS/370, MVS, CMS and CMS/370. 
Virtualization was the perfect tool to let system administrators 
juggle these OS variants, easing the migration to new versions, and 
providing convenient test environments to keep production systems 
stable. VM/370 was a wild success with businesses, primarily 
because it excelled at that all-important mission of saving money. 

The VM/370 architecture continued throughout the 1970s and 
subsequent decades, evolving into the VM/390 and ultimately z/ 
VM, which runs on IBM's current System zlO mainframe computers. 
z/VM pioneered a resource partitioning scheme called LPAR (Logical 
Partition), which segregates a subset of a computer's hardware 
resources for dedication to a single VM instance. This was another 
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key virtualization development, as it let system administrators 
guarantee performance levels to each VM instance. Today zA/M 
is massively scalable, with physical host systems having up to 64 
processors running thousands of Linux virtual machines. 

IBM also brought zA/M-style LPAR virtualization to its 
minicomputer lines (which IBM terms "midrange systems"), the System 
i (formerly AS/400/iSeries), and System p (formerly RS/6000/pSeries). 
LPAR lets these systems run multiple copies of their native operating 
systems (i5/OS and AIX, respectively), as well as Linux variants. 

Virtualization’s Second Wave 

IBM's virtualization innovations were ingenious, profitable, and, 
well, expensive. Virtualization saved money, to be sure, but only 
after you first bought one of IBM's mainframe or midrange systems, 

which cost a healthy chunk 
of change. Although entry- 
level prices have come down 
to the thousands-of-dollar 
level, it's not uncommon 
to spend hundreds of 
thousands of dollars on 
these IBM behemoths. 

IBM's reign in the 
early big iron era came 
to a sudden end when 
Apple introduced the first 
retail personal computer, 
the Apple 11. Based on a 
single-chip microprocessor, 
the Apple II represented a 
sea change in computer 
hardware architecture. 

A microprocessor is a 
physically tiny computer-on- 
a-chip requiring much less 
supporting infrastructure— 
including power and 
air conditioning—than 
its mainframe and 
minicomputer predecessors. 
In short order, people began running businesses on microcomputers 
rather than mainframes and minis—a major paradigm shift in 
commercial computing. 

Although spending fewer total dollars, microcomputer users 
still want to save money, and still face the same problems as their 
large-computer-user brethren: application isolation and utilization 
efficiency. As with the early mainframes, micros spend a lot of 
their time doing nothing, interspersed with brief periods of furious 
activity. Microcomputers designed to work as servers hosting 
multiple applications came into common use. Virtualization could 
bring the same benefits to micros as it did to larger systems. One 
virtualization technology exploited by micros almost immediately 
was virtual memory, which let these small computers run many 
more programs than their smaller memory capacities would 
otherwise hold. 

But the path to general-purpose microcomputer virtualization 
is not a straight one. In 1988 a company called Connectix created 
a virtualization product for the Apple Macintosh to let it run 
Microsoft's Windows, IBM's OS/2, and ultimately the free Linux 
operating systems on Mac hardware. Called Virtual PC, the product 
was successful in its niche, but the idea of generalized virtualization 
hadn't yet taken off. Eventually Microsoft purchased Connectix in 
2003 and adapted Virtual PC to also let Windows users run other 


operating systems (although not MacOSX, due to Apple licensing 
restrictions). 

Virtualization’s Third Wave 

In 1999, long before Microsoft's involvement in virtualization, 
startup VMware produced a Virtual PC competitor called VMware 
Workstation. Users discovered the versatility of running multiple 
guest operating systems on their desktops, and suddenly 
microcomputer virtualization took off. In 2001 VMware released its 
GSX server product to provide server-level virtualization. Although 
exploiting many concepts originated by IBM with CP-40, one aspect 
missing from both VMware and its Virtual PC predecessor was the 
hypervisor - that small set of service programs that run outside 
the guest operating systems to manage communications with the 
outside world. 

Instead, VMware (and Virtual PC) required a full-blown 
host operating system, such as Windows or Linux. Because 
these operating systems already knew how to talk directly to 
the hardware, they served as functional, although inefficient, 
intermediaries. Inside the host OS VMware ran its Virtual Machine 
Manager (VMM), which was freed from having to deal with the 
large number of devices available to the underlying hardware 
by dint of the host OS, which already had drivers for all popular 
peripherals and interfaces. 

Another mutation in micro virtualizations' DNA is the ability 
to run on non-specialized hardware. Nearly all virtualization 
products today can run on general-purpose Intel and AMD x86- 
class CPUs with no architectural support for virtualization. IBM's 
CP-40, VM/370, and descendants all implement similar privileged 
instruction mechanisms to trap I/O commands and route them to 
the hypervisor. Micro virtualization accomplishes this by modifying 
the hosted operating systems' binary code, redirecting I/O to the 
host OS for processing. 

Although VMware has been the market leader, the past 10 
years have seen many other virtualization research projects, some 
of them resulting in both free and commercial products. HP has its 
Virtual Partitions technology for HP-UX, Linux its KVM (free) and 
Xen (now owned by Citrix, with both free and commercial versions), 
and Windows Virtual Server 2005 (bundled free with Windows 
Server 2003), to name just a few. Many other products are in 
various states of completeness and costs. These are virtualization's 
salad days. 

The most recent micro virtualization "innovation" has been a 
move from hosted to hypervisor architectures. VMware's ESX Server 
product, Microsoft's Hyper-V, and Citrix' Xen all use the hypervisor 
approach originally invented by IBM 40 years ago. Another back-to- 
the-future transformation is the advent of special-purpose hardware 
support for virtualization, in the form of Intel's VT-x and AMD's 
AMD-V processor lines. This is a parallel to the CP-40 privileged 
instruction set and associated hardware employed by the CP 
hypervisor. 

Although most commercial products still support both 
specialized and non-specialized processors, the trend is to require 
on-silicon virtualization support. Microsoft's Hyper-V, due to 
ship in 2008Q3, already has this requirement. The advantages 
of the hypervisor approach with hardware support is improved 
performance and the ability to run guest operating systems 
unchanged. A disadvantage can be a smaller number of supported 
device types, since the burden for providing device drivers falls on 
the Hypervisor developer. Microsoft has a leg up in this respect, 
because most device manufacturers ship Windows-compatible 
drivers from the get-go. Drivers for other systems come later, if they 
come at all. 
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Virtualization to Infinity and Beyond 

Although micro virtualization has played a lot of catch-up to gain 
parity with its Big Iron ancestor, it's not without its own unique 
contributions. VMware was the first vendor to provide such 
innovative features as live server migration, dynamic load balancing, 
and real-time failover. 

Live migration (VMware's VMotion) moves a running guest 
operating system from one physical host to another without 
skipping a beat. The guest never detects the move—everything 
keeps running with just a few milliseconds of down time. Dynamic 
load balancing (VMware's Distributed Resource Scheduling) 
automatically reallocates system resources, such as memory and 
processor capacity, to improve performance of a guest when it gets 
bogged down with a sudden workload increase. VMotion can even 
automatically move a guest, using VMotion, to a server with more 
memory and CPU to achieve this goal. Real-time failover (VMware's 
HA clustering) monitors a primary guest instance and instantly 
transfers control to a continuously maintained backup instance 
should the primary fail. 

Micro virtualization is driving new hardware capabilities as 
well. Multi-core processors, which place up to 16 processors on a 
single silicon substrate, dramatically improve host system power 
efficiency and scalability. New instruction-level features, such as 
Intel's Virtualization for Directed I/O (VT-d) will streamline input/ 
output processors, currently a serious bottleneck to improved VM 
performance. 

These technical advances have brought new security problems 
to the enterprise as well. A key advantage of virtualization, 
application isolation, was seriously weakened with the first virtual- 


assist processors released. Users depend on VM security being 
at least as good as that as physical hardware, but virtual-assist 
hardware created new vulnerabilities. The least harmful of these 
was the ability of one guest to circumvent security policies to 
directly access another guest on the same system. 

This was bad enough, but an even worse flaw enabled a more 
serious exploit, called the Blue Pill. An allusion to the blue and red 
pills from the popular movie The Matrix, the Blue Pill attack lets a 
hacker break into any system running on a virtual-assist processor, 
whether or not the system was actually using virtualization. The 
interloper could even virtualize a running, not-virtualized operating 
system on the fly, letting them intercept all of the victim OS's input 
and output. Worst of all, a victim system cannot detect that it has 
been hacked. 

The only fix to these and other security issues is new hardware 
containing safety features designed to block illicit virtualization and 
cross-guest communications. This presents a problem for users of 
the current hardware, who must try to mitigate the risk with more 
vigilant external intrusion detection systems. 

As long as computers cost money, virtualization will have a 
mission saving it: through improved efficiency, reduced energy and 
space requirements, enhanced administration, and increased system 
resilience. However, there is a pessimistic take on the future of 
virtualization. Some experts believe that we are approaching a day 
when computers will, in fact, become so cheap as to be free. Nano¬ 
engineering and quantum computing are two nascent technologies 
that could make computers as cheap and plentiful as grains of 
sand, or even motes of dust. The best estimates still put that day 
decades in the future. 


Virtualization 

Technology Overview 

Met 


T he term "virtualization" has become a broad one in 
today's computing milieu. As a popular buzzword, 
marketers want to squeeze every conceivable product 
under its umbrella. Thus, in addition to the traditional 
processor virtualization, we now have storage (disk), 
presentation, application, and container virtualization. Although 
you can make plausible technical arguments for each of these 
categorizations, the main virtualization story is right where it's 
always been: processor virtualization—the art of saving money by 
simulating one or more computers on another computer. 

Processor virtualization is attractive because working with a 
simulated computer is much less time consuming and expensive 
than working with real hardware. First, you can conjure as many 
simulated computers as you need out of thin air (plus memory and 
disk); real computers cost real money. You can "install" a simulated 
computer, completely connected into your network, with the wave 
of a mouse; real computers require screwdrivers and heavy lifting. 


You can move a simulated computer across the room or around 
the world almost instantly without even shutting it down; real 
computers require boxes, planes, trains, and trucks. 

Virtualization saves time, and time is money. Ultimately the 
key draw of virtualization is its ability to save money, by improving 
resource utilization, speeding deployment, reducing management 
labor, enhancing resilience, and hardening security. 

Alas, even this constrained technology space has several types 
and finely shaded variations. Perfectly emulating one computer on 
another turns out to be a slow process, so compromises must be made 
to gain essential performance. Understanding those compromises and 
how vendors package them into different virtualization products is 
essential to making informed purchase decisions. 

So read on to learn what compromises exist in the 
virtualization marketplace. You'll be better prepared to untangle 
confusing vendor claims, and ready to begin the selection process 
for your own virtualization deployment. 
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Raghu Raghuram, 
VP Products and 
Solutions, talks about 
VMware’s impact 
on the evolving 
virtualization 
market. 

Raghu Raghuram leads worldwide product 
marketing, product management, solution 
marketing and business planning for the 
VMware Infrastructure business. Since 
joining VMware, he has held multiple roles 
in product management and marketing, most 
recently running product marketing for the 
VMware Infrastructure product line. Prior to 
VMware, Raghu has held product management 
and marketing roles at AOL,Bang Networks 
and Netscape. Raghu holds an MBA from the 
Wharton School of Business and a Masters 
in Electrical Engineering from the Indian 
Institute of Technology, Bombay. 


What trends do you see in 
customer adoption of VMware 
virtualization? 

Raghu: I would say the headline 
message is that our customers are 
going from using virtualization as 
something that you do for server 
consolidation to virtualization 
as a way to transform IT. As 
customers take virtualization from 
consolidation to being a strategic 
platform for IT transformation, 
they typically they go through five 
stages. 

The early use of virtualization 
is primarily for partitioning or 
separating the hardware from 
the software. And this has a lot 
of benefits, especially if you’re 
in a development lab where you 
can isolate the software from 
the hardware and do a lot of 
destructive testing and so on. 

Then they get into consolidation, 
which we all know has tremendous 
benefits. But consolidation is just 
the beginning of serious VMware 
use. 

Once they consolidate, they 
say, “OK, instead of just doing 
single-server consolidation, why 
don’t I take all the data center 
resources and pool them together 
almost like an aggregate—a 
large computer, if you will—and 
divvy them up for multiple 
business units to use. We call this 
stage aggregation. Once they’ve 
aggregated their data center, the 
next stage is to automate it. They 
take existing manual processes, 
like software provisioning or 
application deployment, or they 
take an application through its 
lifecycle, and they do it in an 
automated, controlled manner so 
that they gain labor efficiencies 
as well. And they get better 
repeatability of IT processes, and 
therefore fewer errors. 

Finally, our customers 
dramatically transform disaster 
recovery. More than two-thirds 
of our customers use our 



products for disaster recovery. We recently 
announced a new product called the Site 
Recovery Manager, which automates 
the process by which a company can 
fail one data center and recover another 
data center. We are doing this with the 
help of our strong ecosystem of storage 
partners, and we have integrated with their 
technology. 


How do you see VMware 
transforming computing? 

Raghu: VMware has introduced 
a fundamentally new and better 
model for computing. The 
traditional computing model is that 
you have an application, which is 
connected to an operating system, 
which is in turn connected to 
hardware. We are creating a model 
where you aggregate and pool these 
resources in a very cost-effective 
manner and automatically assign 
the resources to the applications 
that most need them. And all of 
this is done in a very dynamic 
fashion without the application 
even realizing that it’s being moved 
around, or without end users 
realizing that they are connected 
to an application that’s being very 
dynamically reallocated to where 
the resources exist. This level of 
agility and responsiveness has not 
been possible in computing before. 
So that’s one point. 

The second point is that, 
traditionally, we have addressed 
availability or security based on the 
operating system or application, 
and this tends to make things 
very complex because we have 
to do it differently for each such 
combination. Now—because we 
are sitting at an interesting vantage 
point that is outside the hardware, 
outside the operating system, 
outside the application—^we can 
solve these application, security, 
reliability, and availability problems 
in a very different and better way 
than has been done before. So 
there are new opportunities for the 
security ecosystem, for example, 
to detect security threats. On the 
availability side, we have introduced 
a lot of capabilities, and our 
partners are introducing a lot of 
capabilities, to fail over, or protect, 
from anything from a single 
hardware component failure all the 
way to an entire data center failure. 
All of this results in a self-healing 
infrastructure and a fault-tolerant 
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infrastructure that again has never 
been possible before. 

And the impact of VMware 
is not only at the infrastructure 
level, it is also spreading to 
the application level. Software 
companies are packaging their 
applications along with their 
operating systems into what is 
called virtual appliances, and this 
enables software companies to 
simplify how they test and release 
software. And for customers it 
simplifies how they get packaged 
applications up and running 
because all you have to do now is 
just turn on the appliance, much 
like you do a physical appliance. 
You really don’t have to care about 
configuring the operating system 
or testing the operating system 
separately from the application. 

All of that goes away. So this 
phenomenon of virtual appliances 
is transforming how software 
is deployed, distributed, and 
configured. 

Once you start putting all of 
these things together, you get a 
completely different computing 
model that is fundamentally 
superior to the model of today. 

Can you talk about the measureable 
results that have been achieved by 
VMware customers? 

Raghu: Yes. This has been very 
well documented, and the results 
come about in a couple of 
different categories. At the core 
is capital expenditure reduction 
because you are buying fewer 
hardware components for a given 
application. We have an ROITCO 
calculator on our Web site, as 
well as customer case studies, that 
show that you save an average of 
about $8,000 per application over 
a 3-year lifespan. This means that 
if you take an application that a 
company is running on a physical 
server attached to a network, 
attached to storage, and so on, and 
then you turn it into an application 
running in a virtual machine, you 
end up with a savings of about 
$8,000. 

Now that’s only part of the 
story. The second part of the 
story is the environmental impact 
and the operational savings as a 


result. What I mean is that when you turn 
off a server, you’ll save a lot of power and 
cooling in the data center. It costs about 
$700 a year to provide power and cooling 
to a server, so if you turn it off, you’re 
automatically saving that amount. 

But even more fundamentally 
important, for every server virtualized, 
customers can save 7,000 kilowatt hours 
of electricity, 4 tons of CO^ emissions per 
year, which is equal to about one and a 
half cars running on the road per year. 

And that, needless to say, has a significant 
environmental impact, which goes far 
beyond the data center. It is a corporate 
boardroom topic these days, and a general 
social concern. 

How does virtualization interact with other 
emergent technologies or business models, 
such as SOA? 

Raghu: SOA is a powerful application 
development paradigm that essentially says 
that you can compose your applications 
from pre-built services or existing services 
that your applications might already have. 
Now that’s great news! But when you start 
to put it into deployment new challenges 
emerge. 

For example, how do you size an 
SOA application now, because your 
application now has 5 or 10 components, 
maybe running on 5 or 10 different 
servers? Previously, if you had to size 
your application, all you needed to know 
is what kind of hardware you needed for 
that particular application. Now, because 
everything is distributed, the whole notion 
of sizing an infrastructure, and ensuring 
that that application gets the services and 
resources that it needs all the time—all of 
those things become very complicated. 

And this is where virtualization 
is a perfect complement to service- 
oriented architecture because VMware 
virtualization specifically enables you to 
take all of this hardware and treat it as a 
pool of resources and allocate that pool 
of resources to a collection of services. So 
you can say, “This application is composed 
of these six different VMs, and for this 
group of these six VMs I want to specify 
a resource management policy,” or “I 
want to specify a backup policy, I want 
to specify a DR policy,” and so on. So 
now the infrastructure can be dynamically 
adjusted to the application. Some analysts 
call this service-oriented infrastructure, 
or an infrastructure that’s aware of the 
application that’s running on top of it and 
how it’s constituted. 


As you look at the competitive 
market, what would you say are 
VMware^s advantages compared to 
other virtualization vendors? 

Raghu: The important thing to 
realize is that because VMware has 
been in the marketplace for nearly 
10 years now, we have been able 
to do three things that all other 
vendors have to do as they come in 
to the marketplace: 

First, our product is being used 
by more than 100,000 customers, 
and it has an unmatched reputation 
for reliability and maturity. We have 
a customer who has been able to 
run their server without bringing 
it down for over 4 years. That’s 
unheard of in the open systems 
world, and that kind of reliability 
and maturity, and the fact that it’s 
proven in production, comes over 
a long period of time and comes 
from having your software run all 
kinds of applications in all kinds 
of customer environments. That’s a 
significant advantage that no other 
competitor can gain overnight. 

Second, it’s really not about 
virtualization; it’s about what 
you do with virtualization. All 
of our competitors are just now 
coming into the market with 
basic virtualization. Because we 
brought basic virtualization into 
the market several years ago, all 
of our energy is now focused on 
what you do with virtualization. 

In other words: How do you 
run a dynamic data center with 
virtualization? How do you do 
better power management of the 
data center with virtualization? 
How do you do better disaster 
recovery with virtualization? How 
do you deploy applications better 
with virtualization? How do you 
guarantee service levels for your 
applications with virtualization? 

Third is our notion that 
virtualization should be universal 
and it should belong to the hard¬ 
ware, so all the hardware vendors 
are shipping our product with 
their server products. When you 
turn on a server, you get virtual¬ 
ization turned on automatically. 
Virtualization becomes as simple 
and as ubiquitous as having a 
server in your data center. 

www.vmware.com/go/windows 
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The Perfect World 

A computer being simulated inside another computer is called 
a virtual machine. Virtual, here, means fake. The underlying real 
computer is called the virtual host, or just host, for short. In a 
perfect world, the virtual host would so purely simulate the target 
virtual machine that you could run any operating system on it 
without modification. The operating system running on the virtual 
machine, called the guest OS, would have no way of detecting that 
its underlying hardware was a sham. Oh, and one other thing: in a 
perfect world, the virtual machine would be fast—^fast enough so that 
you would no longer even think of going back to a real computer. 

You already know that it's not a perfect world. It turns out that 
near-perfect simulation fidelity is achievable, but the resulting virtual 
machine is generally too slow to be good for anything. Yes, the very 
fist virtual machines were of the pure type (see "The Past, Present, 
and Future of Virtualization," page_^), running unmodified guest 
operating systems with good success. Called native virtualization 
(and sometimes full virtualization), these systems employed 
specialized hardware to ensure that the guest OS would be 
completely fooled by the simulation. 

But physical computers were hideously expensive at the time, 
making virtualization very attractive. As computer prices dropped, 
which they continue to do to this day, users demanded more 
performance than native virtualization could deliver, especially when 
users could go purchase general-purpose computers much less 
expensively than the big iron required for virtualization. 

This led to the first compromise, called partial virtualization, 
in which the guest OS would be the same one running the real 
hardware. By sacrificing the ability to run an arbitrary guest OS, the 
virtual machine could be simplified, which improved performance. 

In the heyday of mainframe virtualization this approach made such 
systems as IBM's MVS (Multiple Virtual Storage) cost effective. 

Computing progressed and IBM's dominance diminished. 

Other operating systems, such as Windows, gained prominence. 
Virtualization users began to once again desire the ability to 
run diverse guest operating systems, bringing us to the third 
compromise, paravirtualization. In this scheme, the virtual machine 
doesn't simulate hardware so much as simply share it well. It does 
this by modifying the guest OS so that whenever it attempts to talk 
directly to the hardware—for I/O, for example—it instead makes 
a call to the host operating system, called a hypercall. The host 
operating system was not a complete, general-purpose OS, but one 
stripped down to provide just the ability to perform I/O and other 
housekeeping tasks: the hypervisor. 

Today's virtualization products employ one or a combination 
of these compromises to delivery their particular feature advantages 
and performance capabilities. Seeing how vendors leverage these 
processor virtualization approaches gives you valuable insight into 
the strengths and weaknesses of their products. 

Native Virtualization 

Although quickly eclipsed by partial virtualization in the 1970s, 
native virtualization surged to popularity again in the late 1980's 
with Connectix' Virtual PC. Virtual PC let Mac users run Microsoft's 
Windows, IBM's OS/2, and ultimately the free Linux operating 
systems on Mac hardware. This was no mean feat, as Windows ran 
only on Intel x86 processors and the Mac used Motorola's 68000 
(and later IBM's PowerPC) chips. (Microsoft later bought Connectix 
and still sells Virtual PC, which can run on Windows as well as 
MacOS computers) 

Pure native virtualization, simulating every aspect of the 
target computer—right down to the machine instruction set—was 
the only way to pull this off. Primarily due to its full virtualization. 


Virtual PC was slower than the computer it simulated, but slow was 
better than nothing for Mac users; Mac users still saved money by 
not having to buy an entire Windows computer, and saved time by 
not having to switch between systems. 

Today native virtualization is still used in many virtualization 
products: Linux' Kernel-based Virtual Machine (KVM), Microsoft's 
Virtual Server 2005, VMware's Workstation and GSX Server, and 
Parallels' Desktop and Workstation editions. The convergence 
of CPU architectures on the Intel x86 model has softened 
the performance hit of full virtualization, since most machine 
instructions can be run directly on the host computer's silicon. 

Strictly speaking, all of these products work at some level 
with unmodified guest operating systems, but most do supply 
optional modifications—called virtual additions (VAs) in the VM 
marketplace—to further boost performance, add features such as 
dynamic reconfiguration, and support enhanced administration. For 
example, VMware supplies VMware Additions for Windows guests, 
which add the ability to dynamically reallocate memory among 
several virtual machines. Other VA capabilities include graceful 
external shutdown, snapshots, and virtual network configuration. 

Hardware Assistance 

Back in the 1960's, the very first virtualization system, IBM's CP-40, 
employed customized hardware to gain acceptable performance. 
When native virtualization came to the desktop, it was designed 
to work with generic microprocessors, so that any computer could 
be pressed into service as a virtual host. Eventually, however, 
microprocessor vendors, such as Intel and AMD, realized they could 
improve virtualization performance while reducing complexity by 
adding virtualization extensions to their processor architectures. 

In 2005, Intel launched its Intel Virtualization Technology (IVT) 
with specific Pentium 4 chip models; shortly thereafter Intel made 
IVT a stock processor feature in its Xeon, Core Duo, and Core 2 
Duo lines. Intel's 32-bit virtualization extensions are collectively 
called VT-x; the 64-bit (Itanium) equivalent is termed VT-i. At about 
the same time AMD shipped its AMD-V extensions for the Athlon, 
Turion, Opteron, and Phenom 64-bit CPUs. 

Virtualization software vendors quickly took advantage of 
these extensions, gaining a free performance boost and leading 
to the next generation of virtualization products, which employ 
paravirtualization. 

Hyping Hypervisors 

Despite the speed-up gained from hardware assistance, native 
virtualization products still suffered from one painful performance 
bottleneck: I/O. Simulated peripheral devices and network interfaces 
must by definition be slower than their hardware equivalents, 
because ultimately they must communicate with the same hardware 
an unvirtualized OS uses without emulation's overhead. Vendors try 
to mitigate the I/O penalty by providing souped-up pseudo-drivers 
in the VAs, but the bottleneck is still there and it's still significant. 

Paravirtualization can get around this bottleneck by modifying 
each guest operating system to use device drivers and interfaces 
directly in the underlying host system OS. To really streamline the 
process, this host OS is stripped to the bare essentials: just enough 
code to get the host system up and running, communicate with 
devices, and take care of virtualization housekeeping. IBM invented the 
term for this software back in the 1960's with CP-40: the hypervisor. 

The primary advantage of a hypervisor approach is speed. 

With the I/O bottleneck removed, virtual machines can run as 
fast as their physical counterparts. Paravirtualization can exploit 
processor hardware assistance in the same way native virtualization 
does (and in many cases paravirtualization requires these 
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enhancements), further widening the performance gap. When the 
host server dedicates CPU and memory resources to each VM, the 
effect is truly remarkable: all the performance of a dedicated system 
at a much lower capital and operational cost. 

Many virtualization product vendors are shifting to the 
hypervisor model. VMware was the first commercial VM to offer a 
hypervisor in its VMware ESX Server product. Citrix then acquired a 
hypervisor system in the open source Xen, which is still available as 
open source. Microsoft's impending Windows 2008 Hyper-V, out in 
beta now but due for shipment in August 2008, uses a stand-alone 
hypervisor that marks a major change in this vendor's OS philosophy. 

One downside of the hypervisor approach is that the 
hypervisor vendor must obtain device drivers designed to run in this 
minimal environment for every third-party peripheral or interface it 
wants to support. Not surprisingly, many hypervisor-based products 
have limited device compatibility. Worse, as new devices come to 
market, hypervisor drivers are generally the last to be released. 

A second hypervisor downside is guest OS modification, which 
hypervisor vendors can usually only complete after a particular OS 
version is released to the public. Because of this the virtual machine 
data center constantly lags behind the latest and greatest OS 
releases. Fortunately, intermediate OS releases (generally bug fixes) 
don't typically break a hypervisor-based VM. 

Vendors have been ingenious at combating these two 
disadvantages. Red Hat, for example, created a third-party device 
driver consortium to encourage virtualized device driver development. 
Microsoft is in perhaps the best position in this regard. Vendors 
almost always create drivers for Windows' desktop and server 
variants, and these run without change under Hyper-V, ensuring 
Hyper-V's continued access to a very large device population. 
Microsoft also has an advantage in modifying Windows guest 
instances, since it can simply build Hyper-V support into Windows 
releases rather than applying modifications after installation. 

Virtually Mature 

Virtualization seemingly jumped on the enterprise IT radar screen, 
making huge promises of massive savings. In reality, its extensive 


history and broad application 
makes virtualization a mature 
technology. Hardware 
advances have simply made it 
much more attractive that it 
was in the past. That, coupled 
with tighter budgets and rising 
labor and energy costs, makes 
this one technology you must 
get to know intimately. 
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Virtualization Best Practices 




A lthough many x86 virtualization products run 

on just about any kind of virtual host hardware, 
achieving good performance requires some careful 
configuration scrutiny. Similarly, although you can 
convert nearly any physical server into a virtual one, 
that doesn't mean you should. In this article, you will learn what 
you need to consider when you're choosing a virtual host; how 
to assess which servers in your organization might and might not 
make good virtualization candidates, or "guests," for the host 
server; and some general best practices for virtualization. 


What Servers Make Good Virtual Hosts? 

A virtual host server hosts virtualized guests. A host server can use 
a hypervisor virtualization solution such as Hyper-V or Xen, or it can 
use a native virtualization product such as Virtual Server 2005 R2 or 
VMware Server. To understand the differences among these different 
types of virtualization, see the article "Virtualization Technology 
Overview," also included in this special virtualization report. 

To be good virtual hosts, servers 
• Must be exceptionally well provisioned with hardware and 
memory. When you consider the deployment of a host server. 
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remember that you want the most powerful processor and the 
greatest possible amount of RAM. You should strongly consider 
servers that have multiple processors. Some virtualization products 
even let you dedicate specific processors to virtual computers. 
However, when configuring multiple processors, pay attention to 
the licensing limitations of your chosen virtualization platform. 
Some permit only a certain number of sockets or cores for the 
base license fee; taking advantage of more than that number 
costs extra. 

Here's a good rule of thumb for host server memory: For each 
virtual machine that the server hosts, you'll need from 512MB to 
1GB of memory, in addition to the 1GB to 2GB the host server's 
OS requires. The exact memory requirements will depend on 
each guest virtual machine's OS and application configuration. 

For example, a virtualized Windows NT 4 server with 10 users 
requires fewer resources than a virtualized Windows Server 2008 
computer with 200 users. 

• Should include virtualization support. The most recent x86 
CPUs have special hardware support that improves virtualization 
performance and sometimes security. Since 2005, Intel's VT-x and 
AMD's AMD-V feature sets have been included by default in most 
CPUs. However, many legacy servers are still in operation without 
this capability. It may be to your advantage to purchase a new 
server with virtual assist features over a slower legacy server that 
might otherwise be "free". 

• Should be suitable for potential expansion. You might need to 
increase the host server's RAM and add more processors and 
hard-disk-drive capacity in the future. One architectural feature to 
consider is CPU address length: 32-bit vs 64-bit. Although more 
software is compatible with 32-bit systems, 64-bit systems are 
more likely to have higher upper limits for memory and number 
of processors. Most virtualization products run on 64-bit CPUs, 
yet can easily run 32-bit guests in emulation mode. You'll pay 
more for 64-bit up front and when upgrading memory, but the 
increased capability is usually worth it. 

• Must have some form of redundant storage (such as RAID 
10). In addition, some virtualization solutions allow for failover 
clustering, in which several servers are grouped so that if one 
server fails or is unavailable, another server automatically takes 
over and continues processing for the other server. Combined 
with redundant storage, failover clustering alleviates a primary 
concern of relying on a single virtual host for all your processing 
functions. For your initial virtualization foray, internal disk storage 
is probably adequate, although you should employ a hardware 
RAID controller rather than the slower and less-reliable software- 
emulated RAID. For larger virtualized data centers, however, 
seriously consider centralized storage in the form of a Storage 
Area Network (SAN) device. You gain valuable economies of scale 
with a SAN, as well as useful administrative advantages, such as 
the ability to perform live migrations of virtual guests from one 
virtual host to another. 

What Servers Are Good 
Virtualization Candidates? 

Three general types of server make good virtualization candidates, 

or guests: 

1 .The old server. Old servers include computers such as old 
Windows NT 4.0 or Windows 2000 servers using hardware that is 
now dated and would be difficult to replace if it failed. You might 
be currently making good use of the server hardware resources, 
but, given the age of the hardware, you have legitimate concerns 
about possible future failures. As computing power increases 
every year, you will find that you can often virtualize multiple 


servers, whose hardware was state-of-the-art five years ago, on a 
single computer with today's state-of-the-art hardware. 

2. The underutilized server. You can identify underutilized servers in 
a couple different ways: by location and by function. 

• By location. In many organizations, branch offices, which tend 
to have fewer users, host the majority of underutilized servers. 
Fewer users means that individual servers are more likely to have 
lower I/O requirements, making them good potential candidates 
for virtualization. If your organization has branch offices, you 
might find that you can significantly reduce the number of 
physical servers hosted at these locations by virtualizing them 
onto one host computer. 

• By function. Organizations often deploy certain roles, such as 
DNS, DHCP, and Intranet, on separate servers, even though 
any one function is unlikely to tax the server hardware. With 
virtualization, you can keep roles on separate computers while 
consolidating their processing on a single deployed server. 

The added benefit of virtualizing an underutilized server 
is that you can redeploy the original hardware once you have 
virtualized the role the server has been hosting. 

3. The test server. Test servers make excellent candidates for 
virtualization. Unlike a production database server that many 
people use, a development database server's use is limited to a 
small number of people. As a result, you can virtualize the test 
server and free up important hardware for other tasks. 

What Servers Are Not Good 
Virtualization Candidates? 

Servers that generally are not good virtualization candidates have 

• Unique or unusual hardware that defines their purpose. When 
you're auditing existing hardware to determine what can be 
virtualized, be aware that unique or unusual hardware is often 

a virtualization showstopper. Virtualization works best when the 
virtualized host needs access only to the standard set of hardware 
that all servers share. So if your organization is like many others 
that keep old servers around because their function would be a 
hassle to migrate to a newer platform, it's best to look elsewhere 
for virtualization guests. (For example, your remote branch office 
might be using a decade-old fax server running on Windows NT 
4.0 because the original financial investment was significant, the 
server still works, and replacing it would take money from other 
priorities.) 

• High I/O requirements or a monopoly on hardware resources. A 
core benefit of virtualization is the capability to host multiple guests 
on a single server, and if one guest monopolizes the host server's 
resources, you will not be able to effectively host other guests on the 
same server. 

These high-demand servers usually make poor candidates for 
virtualization because virtualized servers must all share the same 
hardware. For example, a highly utilized file server needs to share 
disk and network resources with every other virtual guest on the 
host, so that file server makes a poor candidate for virtualization. 

And as a general rule, virtualizing a computer is pointless when its 
performance profile means that it will be the only guest that can 
run on the virtual host. The exception to this rule is a computer with 
failing hardware running an older OS that cannot be upgraded to 
new hardware and must be run in a virtualized manner. For example, 
you might have a Windows NT 4 server running customized software 
that will not run on later versions of Windows. If this computer is 
suffering intermittent hardware failures and you cannot replace the 
failing hardware, virtualization is worth considering. 
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To summarize: Assess the processor, memory, and I/O profile of 
the guest candidates for virtualization. You should be reluctant to 
virtualize computers that exhibit excessive processor or I/O activity 
unless the hardware of the virtualization candidates is significantly 
slower than that of the host computer. 

Monitoring Existing Virtualized Servers 

With products such as Microsoft's System Center Virtual Machine 
Manager 2007, you can monitor how much of the host computer's 
resources virtualized guests are consuming. Just as you track how 
traditionally deployed servers consume resources, be especially 
careful to track virtualized guests to ensure that no one single guest 
is monopolizing host resources. Remember that although you can 
rationalize server hardware resources with virtualization, doing so 
comes at the cost of having resources shared between multiple 
servers. In a nonvirtualized environment, a runaway process that pegs 
a processor at 100 percent utilization typically affects a single server. 
But when that process occurs on a server that is one of many guests 
on a virtual host, the potential impact is much more widespread. 

Some virtualization products let you specify an upper limit on 
the resources that any specific guest OS might request; even so, it's 
important to keep a careful eye on guests to ensure that one guest's 
needs are not detrimental to those of other guests. If one guest does 
require more resources, consider moving that guest to another virtual 
host or redeploying it in a traditional, nonvirtualized way. 

Snapshots and Backups 

Snapshots are point-in-time representations of a virtual machine's 
state, and it's important to take regular snapshots of your 
organization's virtual machines. Almost all virtual machine software 
allows snapshots, typically while the virtual host is online; these 
snapshots generally are stored as differential images of the original 


virtual machine image data. With snapshots in hand, you can 
quickly roll back a virtual machine to the state in which it existed at 
a particular point in time. 

It is best to also back up the snapshot data when you back up 
your virtual machine. Then, if you need to restore a virtual machine 
on another host, you can also restore a snapshot of the virtual 
machine rather than simply the state of the virtual machine as it 
existed at the time of the backup. With products such as System 
Center Virtual Machine Manager 2007, you can automate these 
tasks and automatically back up and redeploy your virtual machines 
using high-speed Storage Area Networks (SANs). 

Final Advice 

To recap the virtualization best practices presented here: 

• Keep an eye on the performance of virtual host computers to 
ensure that the guest OSs they host are not bogging down their 
resources. If a host is being overwhelmed by its guests, consider 
upgrading the host hardware or migrating the most demanding 
guest OSs to new virtual hosts. 

• Ensure that virtual hosts are configured to be fault tolerant, and 
to use failover clustering if your virtualization solution supports it. 

• Monitor virtualization guests so they don't monopolize host 
resources; if guests exhibit excessive processor or I/O activity, 
consider nonvirtualized redeployment. 

• Take regular snapshots of virtual machine states and include those 
snapshots in your virtual machine backup strategy. 


About the Author 

Orin Thomas is a contributing editor for Windows IT Pro and a 
Windows Security MVP and has authored or coauthored more than 
a dozen books for Microsoft Press. 
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FEATURE 


Windows Server 2008 's 

, Radical 
Features 


An OS worth the wait adds muscle 
in a new era of 64-bit server 
computing 

by Paul Thurrott 





W indows Server 2008 is the most substantial 
upgrade to the Windows Server product line 
since Windows 2000, with a sweeping set of 
new capabilities and a reengineered core that 
will usher in a new era of 64-bit server com¬ 
puting. Like its Windows Vista stablemate, 

Server 2008 was in development an achingly long time, and some 
of its many features were originally slated for its predecessors, Win¬ 
dows Server 2003 and Windows 2003 R2. Unlike Vista's schedule, 
however. Server 2008's lengthy schedule hasn't proven problem¬ 
atic. In fact, it's arguably worked to the product's advantage: This 
is a refined, mature, and stable OS that will no doubt power server 
systems of all kinds for years to come. 

Though Server 2008 uses an evolved version of the Active 
Directory (AD) infrastructure that first debuted in Win2K, many 
of the features of this new OS are radical and revolutionary. Key 
among these major advances are Server Core, which provides a 
lightweight version of the server aimed at specific workloads, and 
Hyper-V, Microsoft's hypervisor-based virtualization technology. 

As befits a major Windows Server upgrade. Server 2008 also includes a slew of smaller, functional advances as well 
as key gains in scalability, reliability, manageability, performance, and security. 

Server 2008 is a feature-rich upgrade with numerous functional advantages over its predecessors. Here are 
some the changes in this release that 1 feel will have the biggest customer impact. (For more information about 
the specific Server 2008 versions, see the sidebar, "Windows Server 2008 Availability and Licensing," page 30.) 
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Windows Server 2008 
3 Availability and Licensing 


As with Windows Vista, Windows Server 
2008 is available in several different prod¬ 
uct editions. These editions support dif¬ 
ferent hardware platforms (32-bit x86, 
64-bit x64, and Itanium), some of which include support for the Hyper-V 
virtualization technologies and some that do not. (Note that Hyper-V is 
only enabled on x64 versions of Windows Server 2008.) 


Pricing: $2,999 per processor 
Supported processors: 64 
Supported RAM: 64GB 

Notes: This version of Server 2008 doesn't support Hyper-V or Server Core 
and is designed for three discrete usage scenarios: Large databases, line- 
of-business (LOB) applications, and custom applications. 


Windows Web Server 2008 

Availability: Separate 32-bit (x86) and 64-bit (x64) versions 
Pricing: $469 

Supported processors: four 
Supported RAM: 4GB (x86) or 32GB (x64) 

Notes: Windows Web Server is designed specifically around the Web Server 
role and cannot be used as an Active Directory (AD) domain controller 
(DC). (It can, however, be configured as a domain member.) This version 
doesn't include Hyper-V but does support Server Core installations. 

Windows Server 2008 Standard, Windows Server 2008 Standard with¬ 
out Hyper-V 

Availability: Separate 32-bit (x86), 64-bit (x64), and 64-bit (x64) without 
Hyper-V versions 

Pricing: $999 (with five Client Access Licenses—CALs); $971 without 
Hyper-V 

Supported processors: four 
Supported RAM: 4GB (x86) or 32GB (x64) 

Notes: Includes one virtual instance per license. 

Windows Server 2008 Enterprise, Windows Server 2008 Enterprise 
without Hyper-V 

Availability: Separate 32-bit (x86), 64-bit (x64), and 64-bit (x64) without 
Hyper-V versions 

Pricing: $3,999 (with 25 CALs); $3,971 without Hyper-V 
Supported processors: eight 
Supported RAM: 64GB (x86) or 2TB (x64) 

Notes: Includes four virtual instances per license. Builds on Standard 
Edition and adds Windows Clustering. 

Windows Server 2008 Datacenter, Windows Server 2008 Datacenter 
without Hyper-V 

Availability: Separate 32-bit (x86), 64-bit (x64), and 64-bit (x64) without 
Hyper-V versions 

Pricing: $2,999 per processor; $2,971 per processor without Hyper-V 
Supported processors: 32 (x86) or 64 (x64) 

Supported RAM: 64GB (x86) or 2TB (x64) 

Notes: Includes unlimited virtual instances per license. Builds on Enterprise 
Edition. 


Microsoft Hyper-V Server 

Availability: A single 64-bit (x64) version 
Pricing: $28 (no, that's not a typo) 

Notes: The new Hyper-V Server is a special version of Server 2008 that 
supports only the Hyper-V role, providing a near bare-metal installation 
option for those who wish to run extensively virtualized environments. 
This version of the product won't ship until later in 2008. 

In addition to these products, Microsoft recently announced that two 
new Server 2008-based products will debut in the second half of 2008. 
These products are Windows Small Business Server (SBS) 2008 and Win¬ 
dows Essentials Business Server 2008. 

SBS 2008, code-named Cougar, is aimed at businesses with up to 50 
PCs. It will ship in two versions, one of which includes Server 2008, Micro¬ 
soft Exchange Server 2007, Windows SharePoint Services 3.0, and one-year 
trial subscriptions to Microsoft Forefront Security for Exchange Server 
Small Business Edition and the new Windows Live OneCare for Windows 
Server. SBS 2008 Premium adds a second copy of Server 2008 (32-bit or 
64-bit) and Microsoft SQL Server 2008 Standard Edition (32-bit or 64-bit) 
and can be installed on a second server. 

SBS 2008 Standard will cost $ 1,089 with five CALs, while individual CAL 
costs fall from $100 to $77. The Premium edition will cost $1,899 with five 
CALs. A new Premium CAL is $189. Both of these products are bit more 
expensive than their predecessors, but because of the individual CAL price 
drop, and the ability to buy CALs individually for the first time, the overall 
cost of SBS should be cheaper for most customers. 

Windows Essential Business Server 2008, previously code-named 
Centro, is a new product aimed at mid-sized businesses with up to 
250 desktops. This product is installed on three separate servers and 
includes Server 2008, Exchange Server 2007, Forefront Security for 
Exchange Server, Microsoft System Center Essentials (SCE) 2007, and 
the next version of Microsoft ISA. The Premium edition of the product 
will also include SQL Server 2008. Essential Server requires four physical 
servers. 

Essential Business Server 2008 Standard will retail for $5,427 with CALs 
costing $81; the standalone cost of the bundled products is about $7,799, 
Microsoft says. Meanwhile, Essential Business Server 2008 Premium is 
$7,163, with CALs costing $195 each. The standalone cost of the bundled 
products in that edition is about $10,213. Essential Business Server 2008 
products will be sold only in 64-bit (x64) versions (aside from the second¬ 
ary servers in SBS 2008 Premium). 


Windows Server2008 for itanium-based Systems InstantDoc I D 99142 

Availability: A single 64-bit version designed for Intel Itanium-based servers 
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Componentization 

Microsoft has completely redesigned 
Windows Server to be functionally com- 
ponentized, a major change that has wide- 
reaching ramifications. At a high level, 
componentization allows for a more eas¬ 
ily serviceable system, both for Microsoft 
and its customers. It also provides a more 
secure and reliable system, because it mini¬ 
mizes communication and dependencies 
between individual components. 

More specifically, componentization 
enables some of Server 2008's most exciting 
new functionality, such as its image-based 
deployment facilities, roles-based manage¬ 
ment, and Server Core. 

Server Manager 

While previous versions of Windows Server 
featured separate management consoles 
for all of the various roles and features in 
the OS (although Windows 2003 did have 
a simple Manage Your Server dashboard). 
Server 2008 provides Server Manager, a 
true one-stop shop for daily management 
needs. 

Microsoft Management Console 
(MMC)-based Server Manager provides 
a Ul, which Figure 1 shows, for managing 
each installed role and feature on the sys¬ 
tem, including Active Directory Domain 
Services (AD DS), Application Server, 
DHCP Server, DNS Server, File Services, 
Terminal Services, Web Server, and many 
others. It also includes numerous valuable 
troubleshooting tools such as Event Viewer 
and Reliability and Performance Monitor; 
configuration tools such as Task Sched¬ 
uler, Windows Firewall, Windows Manage¬ 
ment Instrumentation (WMl) Control, and 
Device Manager; and the new Windows 
Server Backup. 

Thanks to deep componentization 
within the system. Server Manager also 
handles any required system security set¬ 
tings when you add a role or feature. 
There's no longer any need to separately 
run the Security Configuration Wizard 
every time you add or change a system 
feature. 

What makes Server Manager even more 
useful is that each section of the console's 
Ul gets its own dedicated home page, which 
Figure 2 shows. Each home page offers 
information pertinent to the role or feature 
at hand, along with links to fix problems, get 



I t f 

Figure 1: Windows Server 2008 Server Manager Ul 
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Figure 2: Windows Server 2008 console Ul 


more information, and access other tools. 
It's a well-thought-out and well-designed 
application, both logical and useful. 

Server Core 

Unlike previous Windows Server versions, 
most Server 2008 product editions can be 
installed in one of two modes: the tradi¬ 
tional GUI-based server we've had since 
Windows NT 3.1 and a lightweight new 
command-line-based environment called 
Server Core. In this new installation mode, 
Microsoft has stripped out virtually all the 


GUI, so there's no shell (Start Menu, task- 
bar, Explorer windows), and little in the 
way of end-user applications; such things 
as Windows Media Player (WMP), Micro¬ 
soft Internet Explorer (IE), and Windows 
Mail are all missing, though a few GUI- 
based applications such as Notepad and 
Task Manager are still available. Eor the 
most part, the only Ul you'll see in Server 
Core is a single command-line window 
floating over an empty blue backdrop. It's 
the ultimate anti-demo. 

So what's the point of stripping out the 
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GUI? Server Core is designed to reduce the 
attack surface of the server to be as small as 
possible. As such, a Server Core installation 
is also more limited than that of a stan¬ 
dard Server 2008 installation. It supports just 
nine roles—^AD, Active Directory Lightweight 
Domain Services (AD LDS), DHCP, DNS, 
File, Print, Virtualization (Hyper-V), Web 
Server, andAA^dows Media Services (WMS)— 
compared to 18 roles in the full server. 

Local management of Server Core is 
performed using command-line tools only. 
But because Server Core is still Server 2008, 
all of the familiar GUI-based management 
tools will work remotely just fine against 
this server. What won't work, in addition to 
the missing roles, is anything that requires a 
true GUI or the Microsoft .NET Framework. 
This cancels out some key Server 2008 
functionality unfortunately, including ASP 
.NET. Server Core's Web Server role is pretty 
much static, supporting only older, non- 
.NET technologies such as ASP. 

Thanks to the reduced number of on- 
disk components. Server Core will need to 
be patched far less frequently than compa¬ 
rable full installations of Server 2008. Micro¬ 
soft says that Server Core's smaller footprint 
reduces patching by an average of 60 per¬ 
cent. My expectation is that Server Core will 
prove hugely popular as an infrastructure 
(AD, DNS, DHCP, file, print) server and as a 
low-cost, low-end Web server. It's a product 
that should compete well with Linux-based 
solutions. 

BitLocker Full-Drive Encryption 

BitLocker is a full-drive encryption solu¬ 
tion that first debuted in Vista as a way to 
protect data stored on easily lost and stolen 
executive notebook computers. It requires 
hardware based on Trusted Platform Mod¬ 
ule 1.2 to store encryption keys and can be 
configured via Group Policy. What's unique 
about BitLocker is that unlike other disk 
encryption solutions, it protects both online 
and offline volumes and includes boot-time 
protection as well. 

On the server, BitLocker is particularly 
valuable for machines stored in branch 
offices, because those servers are often less 
well physically protected than the machines 
back in the home office. If a thief walks off 
with a BitLocker-protected server, he or 
she won't be able to access any of the data 
stored on the system's hard drives. BitLocker 


2008 

also works really well with some of the 
other technologies discussed here, includ¬ 
ing read-only domain controller (which 
follows), to create a truly secure and useful 
branch office solution. 

Read-Only Domain Controller 

RODC is new functionality that lets admin¬ 
istrators have the option to configure the 
AD database as read-only, which means 
only locally cached user passwords are 
stored on the machine and AD replication is 
unidirectional, rather than bidirectional. 

So why would you want to do this? 
Today, many organizations are installing 
servers in branch offices and other remote 
locations, and these servers often con¬ 
nect back to the home office using slow 
or unreliable WAN links. That makes AD 
replication—and even authentication—an 
arduous and lengthy process. With RODC, 
the server is typically set up and configured 
in the home office, shipped to the remote 
location, and then switched on. 

Like BitLocker, RODC is an excellent 
solution for physically insecure remote 
servers. Indeed, if you combine RODC with 
other new Server 2008 technologies such as 
BitLocker and Server Core, you can config¬ 
ure the most secure remote server possible. 
That way, even hackers who gain physical 
control of the server can't take over your 
network. And removing the stolen RODC 
from your AD is as simple as checking a 
switch: Only those users who logged on 
to that machine will need to change their 
passwords. You won't have to institute 
an organization-wide emergency, because 
only local accounts will have been cached 
on that machine. 

RODC is somewhat limited in that it 
can only support a subset of the roles and 
functionality normally supported on Server 
2008. For example, while RODC-based 
servers can support technologies such 
as Active Directory Federation Services 
(ADFS), DHCP, DNS, Group Policy, DFS, 
Microsoft Operations Manager (MOM), 
and Microsoft Systems Management Server 
(SMS), they don't support such technolo¬ 
gies as Microsoft Exchange. 

Microsoft Internet Information 
Services 7.0 

The new Web server in Server 2008 is driven 
by a major new update to Microsoft Internet 


Information Services (IIS). Like the server 
itself, IIS 7.0 is completely componentized 
so that only those components needed 
for the desired configuration are installed 
and, thus, need to be serviced. It sports a 
drastically improved management console, 
supports Xcopy Web-application deploy¬ 
ment and delegated administration, and is 
backed by a new XML-based configuration 
store, which replaces the previous mono¬ 
lithic configuration store. 

Terminal Services 

You'll see some major changes in Terminal 
Services in Server 2008. The new Termi¬ 
nal Services RemoteApp (TS RemoteApp) 
functionality lets admins remotely deploy 
individual application windows to desktops 
instead of entire PC environments with 
separate PC desktops, which can be confus¬ 
ing to users. These applications download 
and run on user desktops and, aside from 
the initial logon dialog box, function and 
look almost exactly as they would were they 
installed locally. This functionality requires 
the new Remote Desktop client, which 
shipped in Vista and can be downloaded 
for Windows XP SP2 and above (for more 
information see the Microsoft download 
site a t www.microsoft.com/downloads) . 

TS Gateway lets you tunnel Terminal 
Services sessions over HTTPS outside the 
corporate firewall, so that users can access 
their remote applications on the road with¬ 
out having to configure a VPN client. This 
is particularly useful because VPN connec¬ 
tions are often blocked at wireless access 
points, whereas HTTPS rarely is. 

Terminal Services offers a few small but 
useful changes as well. These include TS 
Easy Print, which makes it easy to print to 
local printers from remote sessions, 32-bit 
color support in Terminal Services sessions, 
and seamless copy-and-paste operations 
between the host OS and remote sessions. 

Network Access Protection 

Microsoft first planned to ship simple and 
easily configurable network quarantining 
functionality in Windows 2003, and it's here 
at last in Server 2008 with Network Access 
Protection (NAP). This DHCP-based feature 
lets you set up security policies for your net¬ 
work: When a client system connects, NAP 
examines the device to make sure it meets 
the requirements of your security policies. 
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Those that do are allowed online. Those 
that do not—typically machines that only 
connect infrequently to the network, such 
as those used by travelling employees—are 
pushed aside into a quarantined part of 
the network, where they can be updated. 
How these updates happen depends on 
the configuration of your environment, but 
once that's complete, the system is given 
full access again and allowed back on the 
network. 

NAP includes remediation failback to 
Windows Update or Microsoft Update if 
the local Windows Server Update Services 
(WSUS) server is unavailable, and it's com¬ 
patible with Cisco's Network Admission 


Control (NAC) quarantining technologies. 
This is important for corporations that 
have standardized on Cisco's technologies 
and for those who need something more 
than Microsoft's DHCP-based approach to 
quarantining. 

Windows Firewall 

For the first time, Windows Server ships 
with a firewall that's enabled by default. 
The new Windows Firewall is bidirectional 
and works seamlessly with all of the roles 
and features you can configure in Server 
2008. In fact, Windows Firewall is part of 
the new roles-based management model: 
As you enable and disable various roles and 
features, Windows Firewall is automatically 
configured in the background so that only 
the required ports are opened. This is a 
major change, and one that could hamper 
compatibility with third-party products, so 
testing will be crucial. 

Command-Line and Scripting 
Goodness 

Those who prefer to automate their servers 
will rejoice in the new command-line and 
scripting enhancements in Server 2008, 
though I'm a bit concerned by the haphaz¬ 
ard and temporary nature of some of these 
changes. In this version of Windows Server, 
we're seeing the beginning of the transition 


from the old DOS-like command line to the 
new .NET-based PowerShell environment. 

For now, however, you'll need to have 
a toe in both environments to best take 
advantage of the new capabilities. Server 
Core, for example, doesn't support Power- 
Shell because it lacks support for the .NET 
Eramework. To make this even more con¬ 
fusing, Microsoft continues to add Windows 
Shell commands to Windows Server, and 
Server 2008 has several new Windows Shell 
commands. 

On the command-line side, we get two 
major additions: a Server Core manage¬ 
ment utility called oclist.exe and a com¬ 
mand-line version of Server Manager called 


servermanagercmd.exe. Both are designed 
with the same premise, providing ways to 
configure and manage the roles that are 
possible under each environment. 

PowerShell is a complex but technically 
impressive environment, with support for 
discoverable .NET-based objects, proper¬ 
ties, and methods. It provides all of the 
power of UNIX command-line environ¬ 
ments with none of the inconsistencies. 
(It also provides backwards compatibility 
with Windows Shell and VBScript com¬ 
mands.) The issue is whether Windows- 
based administrators will quickly move to 
this new command-line interface. Server 
2008 doesn't ship with any PowerShell 
administrative commandlets—fully con¬ 
tained scripts that can be executed from the 
command line—that can handle common 
management tasks. Microsoft tells me it will 
ship Server 2008 commandlets on its Web 
site over time and expects a community to 
quickly evolve as well. 

Hyper-V 

One of the most important and future¬ 
looking technologies in Server 2008 isn't 
even available in the initial shipping version 
of the product. Hyper-V is a hypervisor- 
based virtualization platform that Microsoft 
is shipping as a beta version with Server 
2008 and will update automatically using 


WSUS when the technology is finalized after 
mid-2008. Hyper-V offers various perfor¬ 
mance advantages over hosted virtualiza¬ 
tion platforms such as Microsoft Virtual 
Server 2005. Compared to market leader 
VMware, Microsoft's offering is immature 
and unproven, but its inclusion in Server 
2008 is sure to garner Microsoft some 
attention and market share. And there are 
advantages to this bundling: From a man¬ 
agement perspective, Hyper-V is installed 
and managed as a role under Server 2008, 
just like DHCP, file and print services, and 
other standard roles. 

Hyper-V ships only with x64-based 
versions of the product and relies on 
hardware virtualization features that are 
available only in the latest AMD and Intel 
chipsets. It supports both 32-bit and 64-bit 
guest OSs, up to 64GB of RAM in each 
guest OS, and up to four virtual CPUs for 
each guest OS. The VM images used by 
Hyper-V are compatible with VMs created 
for Microsoft's earlier virtualization prod¬ 
ucts, such as Virtual PC and Virtual Server. 
That means it's easy to configure, manage, 
and service. 

Wrapping It All Up 

I've only touched the surface of Server 2008, 
highlighting but a subset of the improve¬ 
ments Microsoft has shipped in this release. 
I'll have more to say about this impressive 
update, and of course my Windows IT 
Pro compatriots will also, in the coming 
months. Though familiar on the surface. 
Server 2008 enables so much new func¬ 
tionality, and comes with so many changes, 
that you'll need to dedicate some time to 
understanding how it will benefit your 
own requirements and needs. This effort 
is worthwhile: Server 2008 is a solid and 
impressive upgrade that should meet the 
needs of virtually any business customer. 
Highly recommended. ^ 
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We're seeing the transition from the 
old DOS-like command line to the new 
.NET-based PowerShell environment. 
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VMware and the 

Future of 
Virtualization 


CEO Diane Greene talks about 
competing with Microsoft 
and where the virtualization 
market is headed 


by Jeff James 


P erhaps no other company has had as 
big an impact on the IT industry in the 
past decade as VMware. From its humble 
beginnings in 1998, VMware has grown 
into a multibillion-dollar global enter¬ 
prise that has fundamentally altered the 
landscape of business computing, even taking a lead 
in reducing power consumption by businesses. (For 
information about VMware's work in green computing, 
see the sidebar "Need to Save Money? Build Green and 
Virtualize," page _^.) Fresh from its tenth anniversary 
(and the ninth anniversary of its first product, VMware 
Workstation 1.0), the company looks poised for a future 
of continued growth. 

Looming on the horizon, however, are dark clouds 
imprinted with a Microsoft logo and shaped like a 
Windows-Server-2008-with-Hyper-V product box. Can 
VMware fend off Microsoft's delayed entry into the virtu¬ 
alization arena and 
retain its dominant, 
well-earned leader¬ 
ship position in the 
market? I spoke with 
VMware President 
and CEO Diane 
Greene to ask about 
VMware's strategy 
for the future and 
how it intends to 
keep a step ahead of 
Microsoft. 

James: In 1998, 
virtualization was 
about creating an 
abstraction layer 
between hardware 
and software, then 
it quickly grew into 
server consolidation 
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and testing. Now we're seeing many different types of 
virtualization in the market. From your perspective, what 
areas of virtualization are experiencing a lot of growth 
right now? 

Greene: We recently took a hard look at that and real¬ 
ized that a good way to give a context to [the different 
types of virtualization] was to compare them with the 
phases customers go through when they deploy virtu¬ 
alization. 

The first thing people realized—and this happened 
when we launched Workstation 1.0—was that "Now I 
can separate my software from the hardware. I can have 
multiple copies of a working software configuration that 
I can clone and maintain libraries of." It also was a very 
valuable way to run Windows with Linux on the same 
machine; it was also a very valuable way to do test and 
development for any possible configuration. 

The next thing that happened was people realized 
"Oh, OK; I don't have to run just one application per 
server anymore, because the software is now separate 
from the server and isolated and I can tax that server up 
to 80 to 85 percent utilization with these virtual machines, 
instead of running at 5 to 15 percent utilization in the 
one-application-per-server model." That was the server 
consolidation phase. 

The next thing was, now that software is sepa¬ 
rated and can run with other software in these virtual 
machines, VMware invented VMotion to move software 
around dynamically across physical boundaries. Now 
all of a sudden you may say "OK, now I can actually 
take my hardware resources—my CPUs, my memory, 
my disks, and my network—and I can aggregate them 
all to get even better utilization. I can do it dynamically 
SO I can service things when they're broken without any 
interruption, I can dynamically allocate and add capacity 
when I need it to maintain response time, and I can also 
do much better high availability because I have pooled 
resources to take advantage of." That was the aggregation 
phase. 
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Theri; all of a sudden you'd look at this 
and you'd say, "Any application I put in this 
virtual machine inherits all of these wonder¬ 
ful properties, and I get all the properties 
in one uniform, consistent way." You then 
realize that you can manage and automate 
how this software runs. I can, for instance, 
group software together and treat it as a unit 
for testing and development. I can manage 
the images and the disks and the process by 
which I go through testing and into staging 
and production. I can do a whole automa¬ 
tion of software lifecycle management. Or 
a completely different example is you can 
now automate how an application or a set 
of applications go through disaster recovery. 
You can automate the scripting of that so the 
configuration of your DR process, instead of 
being in some old crusty playbook, can be 
encapsulated in an automated process that 
takes advantage ofVMs. So then you can test 
it in production and you can let it run. That's 
the automation and management phase. 

We see a fifth phase that has to do with 
cloud computing, what we call the liberate 
phase. That's where you can, within your data 
centers, have multiple data centers and treat 
them like a cloud because the VMs can move 


around. You can also have external data cen¬ 
ters, hosting providers, and cloud providers 
that you can use. You can also secure and 
monitor your VMs both on-premise and off- 
premise. 

James: Some statistics show that only 10 
percent or so of servers are being virtualized. 
Do you have a timeframe for when you think 
the 100-percent-virtualized IT infrastructure 
will become a reality? 

Greene: it's always hard to predict how 
quickly humans move to do something. 
We were overly optimistic that they would 
see immediately how valuable this was and 
move to it. Even though we have more than 
a hundred thousand customers using this 
software—all of the fortune 100—there's still 
a measured pace to which they roll it out, 
even though they are reducing the number 
of administrators it takes to run their soft¬ 
ware, getting better resource utilization—all 
the advantages of doing more with less. 
We're in a cycle now where there's increased 
pressure to do more with less, so that may 
push people to move more quickly. There's 
also much wider awareness of it. Someone 


recently pointed me to an incredible lames 
Fallows piece on using our Mac Fusion 
product and how it just worked—he waxed 
eloquent on the value of it. When you get the 
mainstream [press] talking about virtualiza¬ 
tion, it's clear that [virtualization has become] 
widely accepted. 

We're also embedding a small-footprint 
virtualization platform hypervisor [VMware 
ESXi] that's coming with servers, so that will 
also further accelerate the [move to virtual¬ 
ization]. To make a long story short, it's hard 
to predict. For a crisp answer to your question 
it could be anywhere from the next couple 
years to the next 8 to 10 years. 

James: Microsoft executives we've spoken 
to have said that "virtualization should be 
a feature of the OS" and that "Windows is 
an OS that's adding a virtualization feature, 
while VMware is a feature trying to become 
an OS." How would you respond to those 
comments? 

Greene: Virtualization is really revolu¬ 
tionizing IT. It's really changing how we 
do everything. One of the ways it's doing 
that is because we now have completely 



Need to Save Money? 

Build Green and Virtualize 

Server virtualization and consolidation can help IT pros reduce power 

consumption in the data center, but VMware took the power-reduction principle a step further 
when building its new campus in Palo Alto, California. "From the get-go we wanted to make it a 
sustainable campus, so we went out and found a green architect. Bull McDonough Partners,"says 
VMware President and CEO Diane Greene. "We focused on using recyclable materials, having lots 
of natural light, and using good landscaping and drainage...you basically don't need to turn lights 
on in the building because we have so much natural light." 

VMware's new campus might be one way to cut energy costs, but what's an IT pro do when 
asked by management to cut data-center energy costs while maintaining service levels? Server 
virtualization and consolidation are a big part of the solution, and an approach that saved Mike 
Carvalho, chief technology officer at 1-800-Radiator, a bundle on his data center costs. 

"Our data center was full, our racks were full, the AC was maxed, and we were maxed out on 
UPS units," says Carvalho. "After an old friend suggested we consolidate and virtualize, I gave it a 
shot. I did it all myself in three weeks, and we saved about 30 percent on our power costs right 
off the top." Carvalho said 1-800-Radiator was the first company to take advantage of a program 
developed by VMware and California's Pacific Gas and Electric that gives business customers 
rebates for using server virtualization to reduce power consumption. Carvalho finds it ironic that 
his company was the first to receive the rebate. "Global warming would actually be good for us," 
he Jokes. "The hotter it gets, the more radiators we would sell!" 

InstantDoc ID 99307 


36 JULY 2008 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 














THE FUTURE OF VIRTUALIZATION* 


separated the software from the hardware. 
The way you do that is that you run the OS 
and the application in a VM that you can 
move around and that can be managed 
completely separately. The traditional OS 
as we know it is tied to the hardware in 
a static fashion—it's a highly constrained 
environment. To extend an OS to include vir¬ 
tualization would be to take one of the most 
powerful aspects of virtualization and throw 
it away. Virtualization is something that lets 
you separate the hardware and the software, 
so when you have a hypervisor embedded 
in the hardware, you now have that power of 
separation and ability to aggregate things and 
automate things that you would not have if 
you had the static tie to the hardware. 

You mentioned that Microsoft wants the 
OS to have virtualization as a feature. A huge 
advantage of having a thin hypervisor—ESXi 
is under 32MB—is that it is very reliable and 
very secure. When you make it a feature of the 
OS, your virtualization is only as reliable and 
secure as your OS is. VMware has brought out 
a new model—and brought it mainstream— 
that lets people do things in a way that dra¬ 
matically improves how we manage, access, 
and deliver our software. 

James: Tve heard from a number of readers 
and colleagues who believe that VMware is 
clearly ahead of Microsoft when it comes to 
virtualization technology. Historically, Micro¬ 
soft might enter a new market with an inferior 
product, but over time it continually updates 
that product. Microsoft also leverages its 
existing products to pressure competitors. 
VMware is in a much stronger position than 
companies such as Netscape, Novell, and 
Digital Research were, but Microsoft might 
eventually be where VMware is now. 

Greene: VMware's strategy and vision is to 
partner with the industry to deliver increas¬ 
ingly more valuable ways to manage and 
deliver your compute environment—1 think 
we Ve been delivering on that phenomenally 
well. What our customers are able to do with 
our software just is amazing. 

It's not just that we're ahead; it's the value 
that we're delivering to customers. And how 
much they love that value—they get software 
that just works. On a very regular basis they 
get [upgrades] that provide new functionality 
and get even more value out of this revolu¬ 
tionary way of doing things called virtualiza¬ 


tion. They're now getting management and 
automation. What do people want to do? 
They want to build and quickly deploy appli¬ 
cations that are always available and always 
responsive [and] that drive their business. 
They don't care where it comes from—if it 
comes from a cloud, if it comes from a service, 
if it comes from their internal data center— 
they just want to drive their business. 

What we've set out to do is to make that 
very, very simple and let people do it the 
way they intuitively want to without having 
to worry whether they're optimizing their 
resources. They're not worrying about fail¬ 
ures; they're not worrying about not having 
enough capacity when server load goes up. 

VMware has continually delivered on 
that promise with regular new products— 
every year, every few months—and we're 
doing that with a very extensive ecosystem 
of partners—we now have over 14,000 part¬ 
ners and over 700 technology partners—and 
our customers trust us. We're giving them 
very credible, useful, valuable products time 
and time again. That's why we have all the 
Fortune 100 [as customers] and have 92 
percent of the fortune 1000. We did a recent 
survey—13,600 customers responded—and 
98 percent told us they were happy with their 
VMware deployment and had gotten the ROl 
they needed. 

1 don't know why someone would want 
to wait and see when there's a [virtualization] 
solution that has some customers realizing a 
positive ROl within a few months. As far as 
where VMware is going in the future, we'll 
continue to work with our partners, build 
out our ecosystem, and deliver an increasing 
value to our customers. That strategy has 
been working well. 

James: On the systems management side, 
Microsoft seems to be trying to leverage 
its management capability on the physical 
side with Microsoft System Center to go 
to customers and say that it has a solution 
that manages both physical and virtual sys¬ 
tems. VMware VirtualCenter does a lot with 
VMs that Microsoft System Center Virtual 
Machine Manager doesn't. Given Micro¬ 
soft's approach, would VMware ever consider 
upgrading its products to include manage¬ 
ment of physical machines? Or do you see 
combining physical- and virtual-machine 
management as a stopgap solution until we 
get to a fully virtualized IT infrastructure? 


Greene: A lot of our partners have very 
excellent, well-tested, time-tested ways to 
manage physical machines. VMware has 
decided to take our 6,000-plus employees 
and focus on virtualization management. 
We don't see a need for us to take into 
account legacy management software, other 
than working with partners to have very 
clean APIs to integrate with their manage¬ 
ment and consoles. That has worked very 
successfully for our customers, and we don't 
see a reason for reinventing something that 
is already there and works well, especially 
when we can offer increasing functionally 
in an area of future growth. So VMware will 
increasingly offer management and auto¬ 
mation that exploits the power of virtualiza¬ 
tion, and we'll do that in conjunction with 
our system vendor partners that manage 
hardware. 

James: Hyper-V isn't out yet, but what 
features do you believe VMware offers that 
competitive products don't? 

Greene: VMware has a very broad portfolio 
of products from the desktop to the data cen¬ 
ter, all integrated, that simplify and automate 
management of the desktop and data center. 
Other companies are just coming out with 
an entry level, 1.0 product that is just basic 
virtualization. VMware gives our customers a 
complete portfolio to manage, to [help them] 
deploy their data center, while integrating the 
desktop and server. 

In terms of specific qualities of VMware, 
[1 think we offer] unbelievable quality. Our 
products just work, and the quality is there. 
We have customers telling us over and over 
again about the quality of the product. That 
quality is a very core focus of the company. 
We already have a very broad portfolio to 
simplify running and managing your data 
center, a very rich roadmap, and an extremely 
rich ecosystem of partners that we interoper¬ 
ate with seamlessly. 
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PROBLEM: 

Windows Server 2003 SPVs 
Security Configuration Wizard 
(SCW) isn't Exchange Server 
2007-aware. 

SOLUTION: 

Use the Exchange Server 2007 
files Exchange2007.xnnl and 
Exchange2007Edge.xnnl to 
extend the SCW. 

WHATYOU NEED: 

Windows Server 2003 SPl, 
Exchange Server 2007 

SOLUTION STEPS: 

1. Install Windows Server 2003 
SPl. 

2. Install the SCW. 

3. Install and register the XML 
files Exchange2007.xml and 
Exchange2007Edge.xnnl. 

4. Configure the SCW to secure 
your Exchange environment. 

DIFFICULTY: 


ooo 


Secure 


YoucExchange 

Server 


by Brien Posey 


Take advantage of the Security 
Configuration Wizard 



W hen Microsoft originally 
created the Security 
Configuration Wizard 
(SCW) as part of Win¬ 
dows Server 2003 SPl, it 
was intended primarily 
as a utility for helping network adminis¬ 
trators to secure Windows. Even so, the 
wizard benefited Exchange Server admin¬ 
istrators, because Exchange depends on 
Windows. After all, if Windows isn't secure, 
then Exchange won't be secure either. 

When Microsoft created Exchange Server 
2007, the company included a couple of XML 
files that can be used to extend the SCW. 
These files let Exchange administrators use 
the SCW to secure Exchange, not just Win¬ 
dows. In this article. I'll show you how to 
install and configure the SCW, 
as well as how to use it to secure 
an Exchange server. 

Installing the Security 
Configuration Wizard 

Because the SCW was initially 
introduced in Windows 2003 
SPl, you must install SPl or a 
subsequent service pack in order 
to install the wizard. However, 
simply applying a service pack 
doesn't install the SCW. 

After the service pack is 
installed, start the Control Panel 
Add/Remove Programs applet. 

We're in IT with You 


In the Add/Remove Programs dialog box, 
click Add/Remove Windows Components. 
You'll see a list of various Windows compo¬ 
nents. Scroll through the list until you find the 
Security Configuration Wizard option. Select 
the corresponding check box, and click Next. 
Windows will then begin copying the neces¬ 
sary files. Depending on how your server 
is set up, you might be prompted to insert 
your Windows installation CD-ROM. When 
the file copy process is done, click Finish to 
complete the installation. 

Adapting the Security Configura¬ 
tion Wizard for Exchange 

After you install the SCW, you must adapt it 
for use with Exchange Server. To do so, insert 
your Exchange 2007 installation media and 
navigate to the Scripts folder. 

Next, you need to locate the follow¬ 
ing two files: Exchange2007.xml and 
Exchange2007Edge.xml. You can use these 
two XML files to extend the SCW to support 
Exchange 2007. You must copy these files to 
the server's \%windir%\security\msscw\kbs 
folder. 

The two XML files are security template 
files that are designed to make the SCW 
Exchange 2007-aware. The Exchange2007. 
xml file can be used for securing any Exchange 
2007 server so long as it isn't hosting the 
Edge Transport server role. Microsoft created 
a completely separate XML file. Exchange 
2007Edge.xml, to assist you in securing Edge 
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Transport servers. As you probably know, an 
Edge Transport server operates at the net¬ 
work perimeter and therefore has very differ¬ 
ent security needs from that of Exchange 2007 
servers hosting other roles—which is why 
Microsoft created two different XML files. 

A benefit of the SCW is that it can be used 
to secure remote servers. 1 therefore suggest 
that you register both XML files with the 
SCW, so that you can use the wizard to secure 
any Exchange 2007 server. To use the SCW, 
you must be a member of the Exchange 
Server Administrators group and the local 
Administrators group for the target server. 

You need to register the XML files before 
the SCW can use them. Registering the 
files is simple. To do so, open a command 
prompt window, and enter the following 
commands: 

CD\Windows\SYSTEM32 
SCWCMD Register /kbnameiMSExchange / 
kbfi1e:%windir%\secu rity\msscw\kbs\ 
Exchange2007.xml 

SCWCMD Register /kbnameiMSExchangeEdge 
/kbfi1e:%windir%\secu rity\msscw\kbs\ 
Exchange2007Edge.xml 

Figure 1 shows the result of running these 
commands. 

Securing Exchange Server 2007 

Now that you've installed the SCW and regis¬ 
tered the necessary XML files, it's time to use 
the wizard to secure an Exchange server. For 
the purposes of this article. I'll show you how 
to use the SCW to secure a regular Exchange 
server (not an Edge Transport server). If you 
need to secure an Edge Transport server, the 
procedure for doing so is very similar, aside 
from some obvious differences (e.g., not 
belonging to the Active Directory—AD—that 
the rest of Exchange belongs to). 

To launch the SCW, select it from the 
server's Administrative Tools menu. The 
wizard's Welcome screen will open and will 
present you with several warnings. 

The first warning explains that you can 
use the SCW to create a security policy that 
can be applied to any server on the network, 
and that the various servers and security 
settings that are applied will be based on 
your server's roles. However, you must keep 
in mind that the wizard doesn't actually 
configure a server to perform a certain role. 


Configuring a server's role is up to you. The 
SCW's job is to create a security policy that is 
appropriate for the server based on its roles. 

Another issue that you need to be aware 
of is that the SCW doesn't automatically 
detect the server's roles. Instead, the wizard 
will ask you which roles the server is per¬ 
forming. If you answer the wizard's questions 
incorrectly, then the security policy might not 
be stringent enough, or it might be so strict 
that it prevents some necessary services or 
applications from running. 

One thing that the wizard does detect 
automatically is which inbound ports are in 
use. Therefore, it's important that any applica¬ 
tions or services that listen for inbound traffic 
are running before you run the wizard. 

To get started configuring the wizard. 
Click the Next button on the Welcome screen. 
You'll see a screen that asks if you want to 
create a new security policy, edit an existing 
security policy, apply an existing security 
policy, or roll back to the last security policy 
that was applied. 

The option of rolling back to the last 
applied security policy can be a real lifesaver. 
If you happen to make a mistake and apply a 
security policy that is too restrictive, you can 
rerun the wizard and use the rollback option 
to return your server to normal. Although 
rolling back the security policy is no sub¬ 
stitute for having a good backup, it's a nice 
option if you need it. 

To configure the SCW initially, select the 
option to create a new security policy. After 
you click Next, you'll see a screen asking you 
which server you want to use as a baseline. 
The wizard will create a security policy based 
on the server's current settings, as well as on 
how you answer the wizard's various ques¬ 
tions. After you create a baseline policy, you 
can apply the policy to the server that you 


used to create it, or you can apply the policy 
to any other server. 

A minor issue that 1 noticed while writing 
this article is that if the server you're running 
the SCW on is running Windows 2003 SPl, 
then the wizard will insist that your target 
server also be running SPl—even if the target 
server is running SP2. Upgrading the server 
that the wizard is running on to SP2 seems to 
fix the problem. 

Regardless of which server you choose to 
apply the policy to, you must have administra¬ 
tive permissions on the server. If the account 
that you're using doesn't have administrative 
privileges, you can click Specify User Account 
to provide an alternative set of credentials. 

After you click Next, the SCW will process 
the security configuration database. When 
this process completes, click View Configura¬ 
tion Database to see all the server roles that 
the SCW is aware of. Although you can't make 
any selections on this screen, you should at 
least verify that the SCW is Exchange 2007- 
aware. If the various Exchange 2007 roles 
appear in the list, then you registered the two 
XML files correctly. 

Close the list of supported server roles 
and click Next. The following screen will 
inform you that you're about to begin config¬ 
uring the security policy based on the server's 
roles, and that specifying incorrect roles can 
cause the server to stop functioning. In light 
of this warning, 1 highly recommend that 
you create a full system backup of the server 
before you continue. 

Click Next to see a list of the roles that are 
currently installed on the server. The wizard 
does its best to try to identify the Windows 
server roles that are currently installed. Still, 
you must work through the list and ensure 
that all the roles that are important for the 
server are selected. Take your time going 




~ Ciimmiinil PrareipA 


Hicroruft Uindnur io:n 5*2.3730] 

■I'nrin.'inil Eainplcteid ::ue:cc-5 is Fully. 

C^NUlHCOVKSc-y^tEin^^^SCUCnS Ra-^istQr /"Ikhn-EinBi-HSE mc liAn-9'«EdyE /'Itbf 
I' i* hrinyii-Z WYEdytf. mw \1 

c.HI III Fully. 




Id 


Figure 1: Registering Exchange2007.xnnl and Exchange2007Edge.xml 
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Figure 2: Verifying additional 
services 

through the list, because mak¬ 
ing a mistake might cause the 
server to not work correctly. 

Click Next, and you'll see 
a list of the installed features. 

The basic concept behind this 
screen is that every Windows 
server also acts as a worksta¬ 
tion in some capacity. The 
items in this list are the workstation compo¬ 
nents (called client features) that are currently 
installed. Again, go through the list carefully 
and make sure that the features you intend to 
use are selected before clicking Next. 

At this point, the wizard will display the 
Administration and Other Options screen. 
This screen lists services and components 
that are related to performing administrative 
tasks on the server. Again, the wizard does a 
fairly good job of anticipating which of these 
services and components you'll need, but 
you need to go through the list yourself and 
make sure that all the necessary components 
and services are selected. 

The next screen lists the additional ser¬ 
vices that were detected while processing the 
security configuration database. Typically all 
the additional services that were detected will 
be selected, as Figure 2 shows. 

In some cases you might not want to 
select all the services that were detected. In 
such a case, you should quit the SCW, unin¬ 
stall the unwanted software, and then work 
through the wizard again. 

Because the SCW might occasionally 
not detect a service that's on the server, the 
wizard asks you to decide what you want to 
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Figure 3: Enabling necessary ports 


do if an unspecified service is detected. The 
wizard gives you two choices: You can disable 
the service, or you can allow the service to run 
as originally intended (by using the Do not 
change the startup mode of the service option). 

Click Next to see a summary of all the ser¬ 
vices that have been detected. The summary 
displays the service's current startup mode 
and what the startup mode will be after the 
new policy takes effect. 1 recommend that 
you take some time 
to meticulously look 
through this list, to 
make sure there are 
no mistakes. 

When you're 
satisfied with the 
changes that will be 
made, click Next to 
go to the wizard's 
Network Security 
screen. This screen 
informs you that the 
wizard is about to 
configure the Win¬ 
dows firewall based 
on the roles your 
server is hosting. The 


screen contains a check box that you can use 
to completely skip the network security con¬ 
figuration. Assuming that you want to secure 
the network, click Next. 

You'll see a screen similar to the one 
in Figure 3. As you can see in the figure, 
the screen lists various ports and asks you 
which of the ports you want 
to open. Initially, all the ports 
appear to be selected. How¬ 
ever, if you scroll through the 
list you'll see that some ports 
are not selected by default— 
especially ports related to 
Exchange Server. You'll need 
to examine each port indi¬ 
vidually and decide whether 
you need to enable the port. 

Click Next to see a sum¬ 
mary of the ports that were 
detected, as well as what 
the port status will be after 
the new security policy is in 
place. Ensure that everything 
in the list is correct, and click 
Next again. 

You've now reached the 
wizard's Registry Settings 
section. This section lets you specify which 
protocols can be used to communicate with 
other computers. 

Click Next to go to the SMB Security Sig¬ 
natures screen, which Eigure 4 shows. As you 
can see in the figure, the registry is configured 
based on which check boxes you select. You 
must indicate whether the other computers 
on the network meet minimum OS require¬ 
ments, as well as whether the server has 
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Figure 4: Configuring the registry 
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fighting security 
threats, easier. 


1 . Alert the mailroom. 

Tell thenn to refuse delivery of huge, 
crudely built wooden horses. If one 
slips through, simply return to sender. 


X. Implement Microsoft® Forefront^ 

Forefront makes defending your systems easier. It's 
a comprehensive, simple-to-use, integrated family of 
products that helps provide protection across your 
client, server, and network edge. For case studies, free 
trials, demos, and all the latest moves, visit easyeasier.com 


Forefront is business security software for client, server, 
and the network edge. 


fighting ancient 

warriors, easy. 

__ 


2 . Mop 'em. 

A dirty mop—the dirtier the better—thrust face-ward is really gross. 
Who knows where that mop's been? 


3 . Use what's at hand. 

A garbage can, dumped 
over the head of a Warrior, 
will disable him to painful 
and hilarious effect. _ 


4 . Unleash the Trojan teddy bear. 

Fight their giant phony gift filled with 
Warriors with one of your own. Finding 
Warriors is tough, but not impossible. 


5 . Summon the power of Olympus. 

Ancient Warriors are not going to 
mess with the power of Zeus. 

Use this (and a fake beard) 
to your advantage. 







SECURE EXCHANGE 


sufficient processing power to digitally sign all 
file and print traffic. The first check box asks 
whether the other computers that the server 
communicates with meet certain OS require¬ 
ments, which are listed below the check box. 
The second check box asks whether the 
machine has the necessary power to digitally 
sign file and print traffic. Selecting both check 
boxes enables Server Message Block (SMB) 
security signatures. 

The next screen asks which methods the 
server uses to authenticate with remote com¬ 
puters. Typically, domain accounts are the 
sole authentication mechanism. However, 
you can specify that local accounts or file 
sharing passwords be used. 

The screen that you see next will vary 
depending on the options you chose on the 
previous screen. Assuming that you selected 
the Domain Accounts option, you'll be asked 
to verify that all the domain controllers (DCs) 
are running Windows NT 4.0 with SP6A or a 
more recent OS. The screen also asks you to 
confirm that clocks are synchronized with the 
selected server's clock. 


Click Next to go to the screen that displays 
a summary of the options you've chosen 
within the Registry Settings section. If all 
the settings seem to be correct, click Next to 
continue. 

The wizard will now take you to the Audit 
Policy section. Clicking Next will display a 
screen that asks you to determine your audit 
policy. You have the option of not auditing 
anything, auditing successful activities, or 
auditing successful and unsuccessful activi¬ 
ties. Make your selection and click Next to 
go to a summary screen that shows which 
events will be audited when the new policy 
takes place. 

The wizard then takes you to the Save 
Security Policy section. Click Next again, 
and you'll be asked to provide a name and 
an optional description for the policy you're 
creating. The screen also contains a View 
Security Policy button that you can use to 
generate a report of all the security options 
you've selected. You can use this report to 
verify one last time that all the security set¬ 
tings are correct. 


Click Next, and you'll see a screen asking 
if you'd like to apply the policy now or later. 
If you choose to apply the policy now, you'll 
need to reboot the server. After you make 
your selection, click Next followed by Finish 
to complete the wizard. 

Harden Your Environment 

Windows 2003 SPl's SCW was originally 
designed to help secure the Windows OS. 
But two Exchange 2007 files, Exchange2007 
.xml and Exchange2007Edge.xml, let you 
extend the SCW to secure Exchange in addi¬ 
tion to Windows. Installing and configuring 
the SCW and registering these XML files 
make the SCW Exchange 2007-aware and 
thus make your entire environment more 
robust. 
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101 


LESSON 6 


I n Windows PowerShell, you access folders and files by providing a pathname, such as C:\ 
Windows\System32. In this case, the pathname begins with C, which is the drive name. When¬ 
ever you access a file-system resource, you must provide the drive name, or the drive must be 
implicit within the context of the command, such as when you're retrieving a list of objects in 
the current working location. 

File-system drives aren't the only type of drives that PowerShell supports. PowerShell sup¬ 
ports a number of drives that provide access to different data stores. For example, as 1 demonstrated in 
Lesson 5, you use the Variable drive to access built-in variables and the Env drive to access environment 
variables. 

In this last lesson of the PowerShell 101 series, you'll learn about the available drives and how to 
implement them through PowerShell providers that facilitate access to the data stores. You'll also learn 
how to work with PowerShell's built-in drives and how to create additional drives. By the end of the 
lesson, you'll know how to access not only the file system but also the certificate store, the registry, and 
other data stores. 


How to 
work with 
PowerShell's 
built-in drives 
and create new 
drives 

by Robert 
Sheldon 


Understanding PowerShell Providers 

At the heart of data-store access lies the PowerShell providers. A provider is a Microsoft .NET program 
that provides a data-access layer between PowerShell and the data. Providers abstract data access so that 
you can use the same mechanisms within PowerShell to interact with the various stores. Eor example, 
you can use the Get-Childltem cmdlet to access the file system, registry, and certificate store. 

PowerShell supports a number of built-in providers. To 
view a list of providers currently available on your system, 
you can use the Get-PSProvider cmdlet in the command 


Cet-PSProvider | select Name 


Table 1 lists the providers that currently ship with Power- 
Shell. Because PowerShell is extensible, custom providers 
can be developed to access other types of data stores. 


Table 1: PowerShell's Built-In Providers 

Provider 

1 Data Store 

Alias 

PowerShell built-in and user-defined aliases 

Certificate 

Windows digital signature certificates 

Environment 

Windows environment variables 

FileSystem 

Windows file system drives, folders, and files 

Function 

PowerShell functions 

Registry 

Windows registry 

Variable 

PowerShell variables 
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Figure 1: Displaying a list of PowerShell drives 


You can then install those providers and 
access the data stores as you would access 
the data stores supported by the built-in 
providers. However, a discussion about 
custom providers is beyond the scope of this 
article. See the about_provider Help file for 
information. 

Despite the important role that providers 
play, they are, for the most part, invisible to 
you within PowerShell. What are visible, 
however, are the PowerShell drives you use 
to access the providers. 

Working with the Built-In Drives 

Providers expose data through one or more 
PowerShell drives. For example, the File- 
System provider exposes file-system data 
through PowerShell drives that have a direct 
correlation to your Windows drives. For 
instance, the FileSystem provider exposes 
your Windows C drive through the Power- 
Shell C drive. 

To view a list of PowerShell drives and 
their associated providers, you can use the 
Get-PSDrive cmdlet, as shown in the state¬ 
ment 

Get-PSDrive | sort Provider, Name 

This statement sorts the results first by pro¬ 
vider, then by name so that the providers are 
grouped together, as Figure 1 shows. Notice 
that on my system, the FileSystem provider 


supports six drives, the Registry provider 
supports two drives, and the other providers 
each support only one drive. 

The preceding statement also displays 
root information. The root refers to the 
location within the target data store that 
the PowerShell drive maps to. For exam¬ 
ple, the HKCU drive maps to the HKEY_ 
CURRENT_USER hive in the registry. For 
drives that access nonhierarchical data 
stores, such as PowerShell aliases and 
variables, the root 
value is blank. 

You can also 
use Get-PSDrive to 
retrieve informa¬ 
tion about a specific 
drive. For example, 
the following state¬ 
ment retrieves data 
about the Function 
drive: 

Get-PSDrive Function | Format-List 

As Figure 2 shows, this statement returns 
details such as the name of the provider and 
a description of the drive. Notice that the 
figure also shows the statement 

Get-PSDrive -PSProvider Registry 

In this case, Get-PSDrive returns a list of 


drives associated with the Registry provider. 

After you know what drives are available, 
you can access those drives within your 
commands. For example, you can change 
your working location to the Env drive with 
the statement 

cd Env:\ 

This statement uses the cd alias to reference 
the Set-Location cmdlet. Figure 3 shows 
how the command prompt now reflects the 
new location. Once in that folder, you can 
run other PowerShell commands, such as 

dir I where {$_.Name -like “*path*”} 

In this command, 1 use the dir alias to refer¬ 
ence the Get-Childltem cmdlet, then filter 
out all variable names that don't contain the 
string path. The results in Figure 3 show that 
the Get-Childltem cmdlet works the same as 
if this were a file-system drive. 

You can access any drive type from any 
other drive type. For example, the following 
statement retrieves a list of objects in the 
HKCU drive: 

dir HKCU:\ 

As you can see in Figure 4, Env is still my 
working location, but the results are pulled 
from the HKCU drive. 



Figure 3: Changing the working location 



Figure 4: Retrieving registry information for the current user 
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Figure 2: Retrieving drive-specific information 
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Figure 5: Retrieving registry information for the local machine 
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Figure 6: Retrieving registry key properties 
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Figure 7: Creating a registry key 

You can also change to any drive type 
from any drive type. For example, the fol¬ 
lowing command changes the working loca¬ 
tion to a registry key: 

cd HKCU:\Software\Microsoft\0ffice\ 

As this command shows, not only can you 
change to a different drive, but you can also 
change to folders within that drive, whether 
it's in the registry, the file system, or another 
hierarchical data store. In this case, iVe set 
the working location to HKEY_CURRENT_ 
USER\Software\Microsoft\Office. 

It also doesn't matter whether you access 
data through different providers or the same 
provider. Eor example, the following state¬ 


ment retrieves information from a registry 
key in a different hive: 

di r HKLM:\Software\Microsoft\0ffice\ 

By using PowerShell drives, you can jump 
from location to location without taking any 
special steps, as shown in Eigure 5. 

To view specific information about an 
item such as a registry key, you can use 
the Get-ltemProperty cmdlet. The follow¬ 
ing statement retrieves information about 
the HKEY_LOCAL_MACHlNE\Software\ 
Microsoft\ASP.NET key: 

Get-ItemProperty 

HKLM:\Software\Microsoft\ASP.NET 


As you can see in Eigure 6, the statement 
retrieves a list of properties and their values. 
Notice that the results also include Power- 
Shell-specific information, such as the name 
of the PowerShell drive and provider. 

Besides using the PowerShell built-in 
drives to retrieve data, you can use them to 
take any action applicable to the data store. 
Eor example, you can use the New-ltem 
cmdlet to create an object in the registry: 

New-ltem 

HKLM:\Software\Microsoft\TestKeyl 

This command creates the TestKeyl key in 
HKEY_LOCAL_MACHlNE\Software\Micro 
soft. Figure 7 shows this command's results. 

After you create the key, you can use the 
New-ltemProperty cmdlet to add a property 
to the key. (Adding a property in PowerShell 
is the same as adding an entry in the registry 
editor.) The following statement adds the 
TestProperty property to TestKeyl: 

New-ItemProperty 

HKLM:\Software\Microsoft\TestKeyl 
-Name TestProperty -PropertyType string 
-Value “test value” 

The added property has a value of test value, 
which is a string data type. When you run 
the statement, PowerShell returns a list of 
all properties and their values. As Figure 7 
shows, the new property has been added. 

You also can take other actions through 
the PowerShell drives. For example, the fol¬ 
lowing command uses the Rename-Item 
cmdlet to rename TestKeyl to TestKey2: 

Rename-Item 

HKLM:\Software\Microsoft\TestKeyl 

TestKey2 

In this command, the first argument identi¬ 
fies the original key and the second argu¬ 
ment provides the new name. You can also 
use the Remove-Item cmdlet to remove a 
registry key: 

Remove-Item 

HKLM:\Software\Microsoft\TestKey2 

As these statements demonstrate, working 
with a registry drive is similar to working with 
a file-system drive. You can just as easily use 
the New-ltem, Rename-Item, and Remove- 
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Item cmdlets with files and folders—or items 
in any other drive for that matter. 

Creating PowerShell Drives 

Up to this point, iVe shown you only state¬ 
ments that use the built-in PowerShell 
drives. However, you can also create drives 
based on existing providers. This can be use¬ 
ful when you want to simplify commands 
that you use often. 

To create a PowerShell drive, you use the 
New-PSDrive cmdlet. For example, the fol¬ 
lowing statement creates a drive named ps: 

New-PSDrive -Name ps 

-PSProvider FileSystem -Root $pshome 

The statement identifies the name of the new 
drive, then the provider, and finally the root. In 
this case, I use the PSHOME built-in variable 
to retrieve the PowerShell home folder name. 
When you run this statement, PowerShell 
creates the drive and displays information 
about the drive, as shown in Figure 8. Notice 
that PowerShell displays the actual root name, 
not the variable name. (For more information 
about variables, see Lesson 5.) 

After you've created your drive, you 
can use it just like the built-in drives. For 
example, the following statement changes 
the working location to the ps drive: 


cd ps:\ 

As Figure 8 shows, the PowerShell com¬ 
mand prompt reflects the name of the new 
drive. You can now work in this drive as 
though you had changed the working loca¬ 
tion to C:\Windows\system32\Windows 
PowerShell\vl.O. 

To test whether you're working in the cor¬ 
rect folder, you can run the Get-Childitem 
cmdlet. Figure 9 shows you the type of 
results you should expect. Notice that the 
results include the correct name of the work¬ 
ing location. (In this example, PowerShell is 
running on a Windows XP computer. If you 
run PowerShell on a different OS, you might 
see different results because the Power- 
Shell home directory is set up differently for 
different OSs.) 

PowerShell also includes the Remove- 
PSDrive cmdlet, which lets you remove 
user-deflned drives. To use the cmdlet, you 
must be in a working location other than the 
one you want to delete. For example, the fol¬ 
lowing code changes the working location, 
then deletes the ps drive: 

cd C:\; Remove-PSDrive ps 

Note that any drives you create within a 
session persist only until you end that ses- 


7 Windows PowerShell 

|pS HKCU:\SoftwareSMicrosoft\Office> Neu-PSDriue -Name ps 
i>> -PSProuider PileSiFsten -Root $pshoiie 


» 



Name 

Provider 

Root 

ps 

FileSystem 

C: MJIND0USSsystem32MJindousPouer 


PS HKCU:\SoftwareSMicrosoft\Office> cd ps:\ 
PS ps:S> 


Figure 8: Creating a registry key property 



Figure 9: Retrieving data through a PowerShell drive 
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sion, so you don't need to remove a drive 
unless you have a reason to explicitly delete 
it. For example, you might want to simplify 
your list of available drives when you're 
no longer using a particular drive. You can 
persist custom drives across sessions by 
modifying your proflle flle. In a later lesson, 
you'll learn how to create and customize 
profile files. However, if you're anxious 
to learn more about proflle flies now, see 
the TechNet article "Window PowerShell 
Profiles" (technet.microsoft.com/en-us/ 
library/ccl62758.aspx). 


That's All for Now 

In this lesson, I introduced you to Power- 
Shell providers and drives. As the examples 
demonstrate, you can access a number of 
data stores in a manner similar to access¬ 
ing files and folders. In addition, because 
PowerShell uses providers and drives, the 
methods used to access data are consistent 
among the data stores. In fact, much of 
what you've learned in the PowerShell 101 
series can be applied to the various drives. 
When the PowerShell 201 series begins, 
you'll be able to use the information from 
this lesson as well as the other lessons to 
create complex statements that can access 
and manipulate a wide range of resources. 
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SOLUTIONS PLUS 


PROBLEM: 

IT needs virtual systems, and 
virtual systems need flexible 
storage options 

SOLUTION: 

Use Microsoft Virtual Server or 
VMware ESX Server with iSCSI 
storage 

WHATYOU NEED: 

An iSCSI storage array 
with supporting network 
infrastructure; a virtualization 
platform 

SOLUTION STEPS: 

1. Deploy iSCSI storage 

2. Move existing virtual hard 
disks or create new virtual 
disks on iSCSI storage 

3. Use advanced features such 
as snapshots and VSS support 
to enhance virtual system 
management 

DIFFICULTY: 


oo 


Bringing 

iSCSI SAN >«< 
Virtualization 

Together 

k I Improve long-standing processes 
DytaKoin .^ ... 

I while streamlining your systems 



S ometimes, it takes a few years 
for a technology to reach mass 
acceptance in the enterprise 
space. And to bring powerful 
tools within the reach of SMBs, 
you need to add another year or two of 
product advances and more aggressive pric¬ 
ing. Two technologies that are now reach¬ 
ing broad acceptance—iSCSI SANs and 
system virtualization—create an opportu¬ 
nity for forward-thinking IT organizations 
to improve or completely reinvent some 
long-standing processes involving system 
provisioning and data protection. Fortu¬ 
nately, both technologies are now within 
your reach. So, now is the time to learn the 
ins and outs of implementing 
iSCSI SANs and virtualization 
in your Windows environment, 
and to understand some of the 
key synergies between SAN and 
virtualization technologies so 
that you can implement them 
to their full advantage. 

Why iSCSI? 

In a nutshell, iSCSI is a simple, 
powerful, and effective storage 
solution for SMBs—without the 
price tag or learning curve of 
a Fibre Channel storage archi¬ 
tecture. Because iSCSI arrays 

We're in IT with You 


are connected through standard Ethernet, 
you can leverage your existing expertise 
and investment in that technology and take 
advantage of reasonably priced gigabit- 
over-copper Ethernet switching (thanks to 
a higher level of vendor competition than 
you'll find among Eiber Channel hardware 
vendors). As iSCSI vendors target the SMB 
space, they're developing tools to simplify 
the setup, configuration, provisioning, and 
ongoing management processes for their 
hardware. 

iSCSI SANs offer a range of configura¬ 
tions and features that let IT organizations 
choose appropriately sized and equipped 
configurations, and most vendors typi¬ 
cally permit relatively seamless expansion 
through the addition of modular hardware. 
In addition to traditional RAID configura¬ 
tion support, redundant, hot-swappable 
components (e.g., disks, control modules, 
fans, power supplies) can be specified for 
maximum data availability. Other avail¬ 
ability and load-balancing features—such 
as snapshots, replication, and Microsoft 
Multi-Path I/O (MPIO)—are available as 
standard or upgradeable options from most 
iSCSI SAN vendors. 

Most vendors offer solutions that 
use internal drives connected via Serial 
Attached SCSI (SAS), Serial ATA (SATA), or a 
combination of both technologies, giving IT 
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organizations the latitude to tailor the stor¬ 
age environment to specific performance 
and reliability needs. By nature, SANs are 
shared storage, meaning that multiple sys¬ 
tems can carve out their own piece of the 
overall capacity. This strategy yields a bet¬ 
ter utilization ratio than trying to right-size 
DAS on individual servers. Furthermore, 
thin provisioning—a storage-virtualization 
technique that most vendors use—lets you 
logically allocate more storage space to a 
volume without fully committing physical 
storage resources. As the data on the volume 
grows and more physical storage is actually 
needed, it's automatically allocated. The 
result is more efficient use of your invest¬ 
ment in storage. 

Why Virtualize? 

Virtualization is all about driving down costs 
and maximizing the utilization of hardware 
resources. The insanity of adding a server 
for a single application is only exacerbated 
by the faster processors and larger memory 
and disks that ship in today's standard serv¬ 
ers. Virtualization technologies let you run 
multiple isolated systems on one piece of 
hardware. Therefore, not only do you get 
to actually use the CPU cycles available to 
you, but you also need to buy fewer servers, 
resulting in less rack space consumed and 
less reliance on other datacenter resources 
such as cooling and power. 

Virtualization also provides for more 
flexible and nimble systems manage¬ 
ment. Because virtual machines (VMs) 
aren't tied to a specific piece of hardware, 
tasks related to provisioning, deployment, 
and configuration are much simpler and 
more quickly performed. Backup, main¬ 
tenance, and migration operations are 
also simpler, thanks to the nature of a 
VM's self-contained, portable system 
image and emulated hardware descrip¬ 
tion. 

Setting Up the 
Environment 

Now, let's dig into some of the specifics 
of how to configure these technologies 
in your environment and see how they 
can work together. To give this article 
some hands-on perspective, I built an 
environment specifically to test some vir¬ 


tualization and disaster-recovery scenarios. 
For my iSCSI SAN, 1 used a Dell EqualLogic 
PS5000X storage array and 1 installed both 
Microsoft Virtual Server 2005 R2 SPl and 
VMware ESX Server 3.5 to create a combina¬ 
tion of virtual server and client systems. 

Installing and configuring the iSCSI 
array. Installation of the EqualLogic iSCSI 
array was pretty simple, thanks to the Host 
Integration Tools provided on an included 
CD-ROM. Ifyou'U be using Microsoft Storage 
Manager for SANs (SMfS)—a simple stor¬ 
age-management tool available in Windows 
2003 R2 and later—you'll want to ensure that 
your storage vendor provides a Virtual Disk 
Service (VDS) hardware provider, which is 
essentially an interface between the storage 
system and the Microsoft VDS. In my tests, 
the EqualLogic tools' installation process 
detected the SMfS installation and automat¬ 
ically installed its VDS hardware provider. 1 
used the vendor-provided tools to initialize 
the storage array, configure a storage group, 
and set my server's iSCSI configuration 
to access the SAN. 1 used the Web-based 
SANTest Group Manager tool, which Eigure 
1 shows, to provision an initial volume and 
perform basic SAN monitoring and man¬ 
agement tasks throughout my usage of the 
storage system. It took about an hour to get 
the array configured and ready to manage 
through SMfS. 

Systems that will connect to an iSCSI 


resource need to have a dedicated NIC 
or an iSCSI host bus adaptor (HBA) card 
specifically for connecting to iSCSI stor¬ 
age. There are a few advantages to using an 
HBA instead of a standard NIC, including 
performance and a simpler boot-from-SAN 
configuration, but for my testing 1 used 
standard gigabit-over-copper NlCs from 
Intel and Broadcom. Also, you need to give 
some consideration to the network infra¬ 
structure over which your iSCSI traffic will 
travel. You should employ enterprise-class, 
nonblocking gigabit-over-copper Ethernet 
switches. If you don't want to (or can't afford 
to) maintain a completely separate network 
environment for your iSCSI devices, you 
should at least use a Virtual LAN (VLAN) for 
the ports through which iSCSI traffic flows. 

Setting up the virtualization platforms. 
When you're considering a virtualization 
tool, you have a few vendor choices, and 
those vendors typically offer multiple plat¬ 
form choices and management tools. To 
keep things simple. I'll stick to Microsoft and 
VMware's popular virtualization products. 
Setting up the virtualization platforms for 
my tests was relatively easy. 1 downloaded 
Virtual Server 2005 R2 (see the Learning 
Path at InstantDoc ID 99229 for download 
details) and followed the simple installation 
instructions to set it up on two Windows 
Server 2003 R2 systems. After the installation, 
an information page outlined how to access 



Figure 1: The Web-based SANTest Group Manager tool 
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the Virtual Server Administration Web site. 
The management interface is intuitive, and 
the process of creating and provisioning new 
systems is straightforward. 

I downloaded an evaluation version of 
VMware Infrastructure 3, which contains 
ESX Server 3.5 (for download details, see the 
Learning Path) and created an installation 
CD-ROM from the ISO image. Unlike the 
Microsoft virtualization software, ESX Server 
doesn't run on top of Windows Server. 1 
booted from the installation media and had 
the ESX Server system running in about 30 
minutes. To manage the ESX Server system, 
I could either install the VMware Infrastruc¬ 
ture Client or use the Web-based client. 

At this point, both virtualization plat¬ 
forms were ready to create and provision 
new VMs on local disk volumes. To lever¬ 
age the iSCSI SAN, 1 needed to prepare and 
connect SAN volumes to the Virtual Server 
and ESX Server systems. For more infor¬ 
mation about configuring SAN storage on 
Windows and VMware platforms, see the 
Web-exclusive sidebars "Configuring SAN 
Volumes for V\findows Virtual Server" (www 
.windowsitpro.com, InstantDoc ID 99231) 
and "Configuring SAN Volumes for VMware 
ESX Server" (InstantDoc ID 99232) . And 
remember that an essential part of any VM 
strategy is backup. The Web-exclusive sidebar 
"Backing Up Virtual Systems" (InstantDoc ID 
99254) discusses recommended practices. 


Working with Virtual Server 

1 first configured a couple of VMs on one of 
the server's local disks and made sure they 
were completely configured and operational 
before adding the SAN volumes to the 
server. Then, 1 migrated the existing VMs 
to the new SAN volume, using the method 
that follows. 

First, to make the job of moving any VM 
easier, 1 recommend performing a clean 
shutdown of the VM. You can use the Virtual 
Server Administration Web site, which Figure 

2 shows, to perform clean shutdowns of the 
systems you want to move. Now, assuming 
you're moving all your VMs to another vol¬ 
ume, you'll want to change the MYVIRTUAL- 
SYSTEMS environment variable to the new 
path where your VM files will reside. (See the 
Microsoft article "The My Virtual Machines 
folder and virtual machine performance 
issues" in the Learning Path for further infor¬ 
mation.) VMs are essentially made up of two 
files—a VHD file (the virtual hard disk) and 
a VMC file (an XML description of the VM's 
configuration parameters). If you configure 
multiple drives within your VM, or if you're 
using undo disks or differencing disks, more 
than one VHD file will exist. 

When you're moving VMs from one 
location to another on the same host, and 
you want to keep the VMC and VHD file 
together, it's easiest to remove the VM from 
Virtual Server Manager, then re-add it by 


entering the path to the location to which 
you copied the VHD and VMC files. This 
applies when the drive letter, folder name 
or filename, or another element of the path 
changes. After you add the system, you need 
to configure the new path to the VHD files by 
choosing the Configure option and selecting 
your newly moved system. In the configura¬ 
tion window, select the Hard disks item and 
modify the Fully qualified path to file value 
to reflect your new VHD location. You might 
also want to add or remove search paths as 
appropriate from the Virtual Server Man¬ 
ager's Server Properties menu. 

Now that you've moved your VM's VHD 
and VMC files to a volume located on a SAN, 
you can use a similar process to move VMs 
to another host, without needing to copy the 
data. For example, suppose you're replacing 
an old server that hosts a number of VMs. 
You can provision the new hardware, install 
the necessary software (including Virtual 
Server), and prepare it to connect to the 
iSCSI SAN. When the new server is ready 
to go into production, cleanly shut down 
the VMs, dismount the SAN volume from 
the old server, and mount it on the new 
server as discuss in the "Configuring SAN 
Volumes for Windows Virtual Server" side- 
bar. With proper planning and preparation, 
your VMs shouldn't be offline for more than 
10 or 15 minutes. You can use similar tech¬ 
niques for disaster recoverability, but more 
comprehensive approaches are avail¬ 
able through third-party backup vendors. 
Also, Windows Server2008's new Hyper-V 
technology promises advanced, central¬ 
ized VM management capabilities. 

Working with ESX Server 

As 1 did with Windows Server, 1 started 
by configuring a couple of VMs on a 
local disk on the ESX Server system. 
1 performed these steps through the 
VMware Infrastructure Client, which 
Figure 3 shows. After configuring some 
SAN targets and formatting them with 
Virtual Machine File System (VMFS, 
as 1 discuss in the "Configuring SAN 
Volumes for VMware ESX Server" Web- 
exclusive sidebar), 1 manually moved 
a VM to the new volumes by using the 
manual method proposed by VMware 
in its Knowledge Base article "Manual 
Migration Procedure for Moving a Virtual 



Figure 2: The Virtual Server Administration Web site 
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Figure 3: The VMware Infrastructure Client 


Machine on ESX Server" (see the Learn¬ 
ing Path). 

I found a utility called FastSCP from 
Veeam Software that simplifies this man¬ 
ual process with a GUI interface. Like 
the Windows virtualization scenario, 
the VMware process of getting the vir¬ 
tual files onto a SAN volume gives you 
more portable and flexible management 
and recoverability, but to gain the best 
leverage of an iSCSI SAN in a VMware 
environment, you need to purchase 
VMware's VMotion add-on. VMotion lets 
you migrate an entire VM to a new host 
without needing to move the associated 
virtual disk files from their location on 
shared storage. VMotion automates this 
entire process and can perform it on hot 
or cold VMs. Whether or not you're able 
to take advantage of VMware's advanced 
add-on functionality, just getting your 
VMs onto SAN-based storage will give you 
the level of data protection afforded by the 
SAN hardware and features that your SAN 
vendor offers. 

SAN Data Protection 

In addition to the shared-storage and porta¬ 
bility advantages that a SAN brings to virtual¬ 
ized environments, the advanced availability 
and data-protection features that most ven¬ 
dors offer can yield numerous benefits. Ven¬ 
dors take varying approaches to licensing 
features on their platforms. Some offer a la 
carte options that you can pay for as you need 
them, whereas others, such as Dell, sell their 
products with every feature enabled. 

You can use snapshot technology, which 
quickly creates a copy of a volume's con¬ 
tents at a specific point in time, for instant 
or scheduled backups. Because snapshot 
operations happen quickly and because 
snapshots can be mounted as separate 
volumes, they can be useful in testing and 
migration operations. Some platforms also 
feature integration with Microsoft's Volume 
Shadow Copy Service (VSS) framework, 
which enables snapshot backups that ulti¬ 
mately offload the backup process from 
application servers. 

Replication is another technology that 
offers simplified data protection in a SAN 
environment. You can use replication to 
create point-in-time copies of one SAN array 
or group and move them to another array 


or group in a physically separate location. 
Because iSCSI runs on Ethernet, the distance 
between these replica partners can be virtu¬ 
ally unlimited, offering a strong measure of 
protection against natural disasters or other 
catastrophes. Depending on the situation, 
you can make either replica partner the pri¬ 
mary storage entity and you can synchronize 
any changes once both sites are back online. 
Some vendors have highly customized varia¬ 
tions of this technology that perform real¬ 
time striping of data across physical units in 
geographically separate locations. 

Finally, MPIO—which lets a server use 
more than one read/write path to an iSCSI 
storage device—is a technology that pro¬ 
vides fault tolerance against single points 
of failure in switch or NIC hardware or 
cabling. Multipathing can also provide load¬ 
balancing of SAN traffic, resulting in perfor¬ 
mance improvements in high-utilization 
iSCSI implementations. 

More iSCSI SAN/ 

Virtualization Benefits 

SANs and virtual environments comple¬ 
ment each other in quite a few ways; in fact, 
1 won't be able to do them justice in one 
article. However, two notable capabilities to 
consider are booting from SAN and iSCSI 
VM clustering. 

Booting from SAN, Booting servers 
directly from a SAN is an alternative to pro¬ 
visioning physical servers that have a local 
disk with an OS installed, offering numerous 


benefits related to reliability, disaster recov¬ 
erability, simplified backup, and manage¬ 
ability. Booting from an iSCSI SAN is most 
easily accomplished with a dedicated HBA, 
but you can find solutions to configure boot 
from SAN for standard NlCs. 

Clustering. Virtual Server guest clus¬ 
tering is a technology in which VM nodes 
communicate with their shared storage via 
iSCSI to accommodate failover from one 
VM to another. This relatively low-cost clus¬ 
tering scenario provides high-availability 
implementations for VMs and offers a better 
means for applying patches and conducting 
other hardware or software maintenance. 

One-Two Punch 
for the Future 

Of course, not every SMB IT organization 
has the budget to deploy a new iSCSI SAN 
and virtualization infrastructure. The key 
is to recognize the potential of each tech¬ 
nology and the advantages of having both. 
Then, plan your roadmap to get the most 
out of incremental investments in these 
technologies—with an eye toward the ulti¬ 
mate goal of full-scale deployment of both. 

♦ 

InstantDoc ID 99229 
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Safeguard Your SharePoint Content with 

Data Protection 
Manager 


M icrosoft SharePoint Products and Technologies have become a cru¬ 
cial component of the infrastructure in many organizations, with the 
platform serving as a mission-critical document repository and col¬ 
laboration tool. Unfortunately, the platform's built-in backup and restore 
capabilities have never really delivered the type of enterprise capabilities 
that organizations have come to expect. Of particular note is the fact that 
there's no native way to provide for item-level recovery of documents or list items stored 
within SharePoint. With the release of Microsoft System Center Data Protection Manager 
(DPM) 2007, however, administrators have access to a rich set of recovery tools for Share- 
Point, allowing for advanced snapshot-based recovery of SharePoint content from within a 
simple but powerful interface. As with any new technology, there are tips and tricks involved 
with DPM's deployment and caveats that you need to take into account. Read on to learn 
what it takes to deploy DPM into a Windows SharePoint Server (WSS) 3.0 or Microsoft Office 
SharePoint Server (MOSS) 2007 environment, including best-practice architectures and 
maintenance requirements of the application. 


Take your 
SharePoint 
restoration to the 
item level 

by Michael Noel 


Introducing System Center Data Protection Manager 2007 

In the past, organizations that required robust enterprise backup and restore capabilities 
for SharePoint either purchased third-party software or constructed an elaborate process of 
invoking command-line utilities such as Stsadm that performed site-collection-level back¬ 
ups. Although many of these third-party products offer great functionality for SharePoint, 
they can be expensive and cumbersome to use. Microsoft was on the line to produce a utility 
that could easily manage and back up SharePoint on its own terms, allowing both for day- 
to-day recovery of individual items within SharePoint and for full-scale disaster recovery of 
the entire SharePoint infrastructure. 

System Center DPM is Microsoft's foray into the enterprise backup space. It's the sec¬ 
ond generation of a product that was designed to provide simple but powerful backup 
capabilities for Microsoft infrastructures, including the Windows OS, Microsoft SQL Server, 
Exchange Server, and SharePoint. Microsoft developed DPM to integrate directly with Win¬ 
dows' Volume Shadow Copy Service (VSS), allowing the product to create snapshots of data 
on a protected system as frequently as every 15 minutes. This means you could potentially 
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Figure 1: The DPM console 



Figure 2: DPM built-in report options 


configure DPM to recover a failed server to 
a point in time no more than 15 minutes in 
the past. 

DPM offers two distinct benefits for 
SharePoint administrators. The first is the 
ability to take a VSS snapshot, back up the 
SharePoint SQL databases, and provide up- 
to-the minute restoration capabilities. The 
second benefit is DPM's SharePoint-aware 
item-level recovery capabilities, which 
allow administrators to restore items from 
the moment of the last recovery point. It's 
important to note that SharePoint content 


databases and SharePoint content, although 
the most critical components to backup in a 
SharePoint environment, don't provide for 
restores of the SharePoint indexes, Web part 
binaries, or the IIS metabase on Web front 
ends. These components should be backed 
up using SharePoint's XML-based backup 
that is included in the product. 

DPM also allows for other advanced 
functionality such as Exchange database 
and mailbox-level recovery capabilities, 
hare-metal recovery of servers, and the 
ability for end users to restore earlier file 


versions directly from protected file serv¬ 
ers simply by using Windows Explorer. In 
addition, Microsoft makes DPM admin¬ 
istration robust and simple using either a 
PowerShell console or the standard GUI- 
based DPM Administrator console, which 
Figure 1 shows. To keep managers happy, 
the console also includes a series of built-in 
reports, such as the ones shown in Figure 2. 
These capabilities position DPM as a power¬ 
ful tool not only for SharePoint, but for any 
Microsoft-focused organization. 

Designing a SharePoint 
DPM Solution 

DPM performs backups from a central con¬ 
sole server. This server is directly attached 
to any disk volumes or tape backup librar¬ 
ies to which data will be backed up. DPM 
performs both short-term (backup to disk) 
and long-term (backup to tape) content pro¬ 
tection, and you can configure it to "expire" 
content from the disk-based storage and 
archive that content to tape. 

1 highly recommend DPM's short-term 
backup-to-disk capabilities. They allow an 
organization to perform backups quickly, 
without the need to spool to tape. To use this 
option, you need to allocate a large chunk 
of disk space to the DPM console. Typi¬ 
cally, the types of disks presented to DPM 
are slower, cheaper disks such as 7200rpm 
Serial ATA (SATA) drives on a SAN, or a 
large DAS storage enclosure. The amount 
of space required will vary depending on 
how much data DPM is backing up, how 
frequently it takes snapshots of the data, and 
how often it performs Express Full Backups. 
(DPM defines Express Full Backups as back¬ 
ups that include all data from the target, but 
transfer only changed files, reducing the 
amount of time and bandwidth that the 
backups take.) In addition, a SharePoint 
item-level recovery backup is a separate 
type of backup from a SharePoint SQL data¬ 
base backup, so you might need to allocate 
more disk space for this type of backup to 
have the most flexibility with the SharePoint 
restores. 

To illustrate, let's say you have 500GB of 
data stored in SharePoint content databases. 
Because the backup-to-disk volumes used 
must be larger than the size of the data, you 
would need approximately 700GB to 800GB 
of space on the backup-to-disk volume just 
for the SharePoint SQL database backups 
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Figure 3: The DPM System Recovery Tool 

and the snapshots associated with them. 
In addition, you need to set aside 600GB to 
800GB of space for backups of SharePoint 
items, as these types of backups are stored on 
different volumes than the SQL backups are 
stored. Total amount of space consumed to 
back up 500GB of SharePoint content could 
easily eclipse 1.5TB on the DPM console in 
this scenario. Therefore, it's important to 
plan out the disk infrastructure required for 
DPM's backup-to-disk capabilities. 

Incidentally, one common mistake 
administrators make when allocating disk 
space to DPM is that they create or format 
volumes before presenting them to DPM 
through the Management tab of the con¬ 
sole. However, DPM prefers unformatted, 
raw disk space, because it creates a large 
number of smaller volumes as part of its 
provisioning process. You should simply 
add raw disk space to the server and add the 
disks to the console as needed. 

Using the DPM System 
Recovery Tool 

It's not immediately obvious how to back up 
the DPM console, but it's highly crucial to do 
so to prevent the backup infrastructure from 
collapsing. Microsoft provides a separate 
tool, known as the DPM System Recovery 
Tool (SRT), which Figure 3 shows, for back¬ 
ing up the DPM console. The tool lets you 
create a boot disk and provides hare-metal 
recovery of any server it backs up. This 
essentially lets you recreate the exact run¬ 


ning state of any server, even if the original 
server no longer exists. 

There are a few key points that are impor¬ 
tant to understand about the DPM SRT. 
First, the tool is completely independent 
from the standard DPM product. It installs 
from separate media, uses its own agents, 
and operates independently. Second, by 
default, the SRT keeps all system backups 
indefinitely, which could cause the server 
to quickly run out of disk space. Be sure to 
configure the server to keep only a speci¬ 
fied number of backups. Finally, remember 
that without SRT, a DPM infrastructure has 
a major Achilles heel: If the DPM console 
goes down, all backup history and logs will 
be lost, and recovering the data would be a 
challenge. 

Preparing Servers for Backup 

There are several prerequisites you need to 
satisfy before you install DPM and before 
it can protect managed servers. First, the 
DPM console must have access to its own 
SQL Server database for storing DPM-spe- 
cific configuration and job information. 
Best practice would be to use a local SQL 
Server Express database on the DPM con¬ 
sole server, as storing the database on a 
protected server could be catastrophic if that 
server went down. 

You should also install both Micro¬ 
soft IIS and Windows Deployment Services 
(WDS) on the machine before you install the 
DPM software. From experience, I can tell 


you that if you forget to install 
IIS and WDS in advance, DPM 
installation will likely fail, par¬ 
ticularly if the server you are 
installing DPM on is running 
Windows Server 2003 SP2. You 
must also install PowerShell 1.0 
and the VSS patch referenced in 
the Microsoft article "Availability 
of a Volume Shadow Copy Ser¬ 
vice (VSS) update rollup pack¬ 
age for Windows Server 2003 
to resolve some VSS snapshot 
issues," at support.microsoft 
.com/kb/940349. 

The DPM console must be 
installed with Windows Server 
2003 SPl or R2, as Windows 
Server 2008 is not yet sup¬ 
ported. I also recommend that 
you install the 64-bit version 
of both Windows and DPM 2007, because 
memory support is better, and the system 
will scale much better than a 32-bit version 
will. As a side benefit for Exchange Server 
2007 administrators, installing the 64-bit 
version of DPM lets you run the native ver¬ 
sion of Eseutil against backed up copies of 
Exchange databases. 

All managed servers must be running 
Windows 2003 SPl or later and have the 
K B940349 patch installed. SQL servers must 
be either SQL Server 2005 SP1/SP2 or SQL 
Server 2000 SP4, and must have the VSS 
Writer service running. 

To perform an item-level backup of 
SharePoint, the SharePoint Web front-end 
servers must satisfy their own specific 
requirements. This involves installing a 
SharePoint-specific patch referenced in the 
Microsoft article "Description of the Win¬ 
dows SharePoint Services 3.0 post-Service 
Pack 1 hotfix package: fanuary 31, 2008," 
(support.microsoft.com/kb/941422 ), start¬ 
ing the VSS Writer service, and providing the 
protection agent with the credentials for the 
MOSS/WSS farm. This last step is a bit more 
involved, but essentially involves running 
the ConfigureSharePoint.exe tool from the 
SharePoint Web front-end server. This tool, 
located in the \bin subfolder of the DPM 
installation directory on the DPM server, 
prompts you to enter the farm administrator 
credentials for SharePoint. You must re-run 
the tool whenever the farm administrator 
credentials change. 
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Figure 4: Deploying DPM agents to protected systems 

And; of course, before any backups 
can take place from the console, you must 
deploy specialized DPM agents to any sys¬ 
tem that will be backed up. These agents, 
deployed and administered from the con¬ 
sole, as Figure 4 shows, can be pushed out to 
systems using an account with local admin 
rights on the servers. After you've satisfied 
all prerequisites and pushed out the agents, 
you create the initial backup replicas via the 
use of Protection Groups. 

Creating a Protection Group 

DPM uses the concept of a Protection 
Group, such as the ones that Figure 1 shows. 
Each Protection Group provides for differ¬ 
ent schedules, snapshot frequencies, and 
retention ranges, which you configure when 
you create the Protection Group. For each 
Protection Group, a replica volume and a 
recovery point volume is created for each 
protected resource. For SharePoint content 
databases, this means that each protection 
group will create two volumes for every 
content database. The recommended sizes 
for the replica and recovery point volumes 
will change based on criteria you specify 
when creating the group, so it's not a bad 
idea to play around with those numbers to 
see how performing additional Express Full 
Backups or taking snapshots of data more 
often increases or decreases recommended 
volume size. Bear in mind that the recom¬ 
mended size for each of these volumes is 


determined according to the current size 
of the database, so you should increase the 
volume sizes if you anticipate that content 
database size will increase. 

It's crucial that you understand the 
difference between a SQL content data¬ 
base backup and a SharePoint item-level 
backup. The SQL content backup is based 
on VSS snapshots, but an entire database 
would need to be recovered in the event 
of data loss. These types of backups are 
geared toward scenarios involving disas¬ 
ter recovery. The SharePoint item-level 
backups, which are performed against a 
SharePoint Web front-end server, aren't 
snapshot-based, so items can be recovered 
only at the point of the last Express Eull 
Backup, but this type of backup lets you 
recover individual items without initiating 
a full database restore. 

Restoring Content 

The Recovery tab of the DPM console is 
where administrators can initiate restores 
of individual SharePoint items or of entire 
SharePoint content databases. You can 
restore SharePoint SQL content databases 
from SQL backups—either by overwriting 
an existing database or recovering it to a 
different SQL Server instance or even a flat 
network folder. 

SharePoint item-level recovery using 
the DPM console simply requires navigat¬ 
ing through a folder hierarchy to find the 


individual docu¬ 
ment or list item 
and restoring it 
to the SharePoint 
site. Assuming the 
item hasn't been 
archived to tape, 
it's immediately 
restored to the site. 

Understanding 
DPM Licensing 

DPM licensing 
costs are calculated 
according to the 
type of server being 
backed up. Standard 
Windows servers, 
such as file serv¬ 
ers, require a DPM 
standard license; 
application servers 
such as Exchange, SQL Server, and Share- 
Point servers require an enterprise license. 
Your organization might already own DPM 
licenses, particularly if you're invested in 
other System Center products such as Opera¬ 
tions Manager 2007 or Configuration Man¬ 
ager 2007. It's best to check with Microsoft to 
see what type of deal you can obtain. 

Not Perfect, But... 

Eor those organizations heavily invested 
in SharePoint and without a current item- 
level recovery product in place, DPM is 
an excellent choice. DPM is an impres¬ 
sive product, and there's something quite 
magical about how simple it is to restore 
an entire environment painlessly with 
a few mouse clicks. It's not perfect—I'd 
personally like to see the ability to install 
multiple redundant primary consoles, for 
example—but all in all, it's an excellent 
tool to provide for enhanced recovery and 
protection capabilities for a SharePoint 
2007 environment. 

InstantDoc ID 99025 


Michael Noel 

(michael@cco.com) is a partner 
at Convergent Computing, a 
Microsoft SharePoint MVP, and the 
author of books on SharePoint, 

ISA Server, and Exchange Server. 
His latest book is Windows Server 
2008 Unleashed (Sams). 
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NEW & IMPROVED* 


PRODUCT 


■ Data Center Management 

■ Security 


Data Center 


■ Help Desk 

■ Networking Hardware 


Management 

Monitor Data Center 
Temperature and Humidity 



Keeping your data center 
within an optimal operating 
environment is the focus of 
AVTECH Software's Room 
Alert Signal Tower, a device 
! that provides real-time 

^ 1 -r; monitoring of a variety of 

! ' -L . ' 1 environmental variables. You 

] ' can configure the product 

to monitor air temperature, 
humidity, and network 
latency; in addition, the prod- 
uct offers an open sensor port 
that lets you add more sensor 
types, including motion, 

■ room-entry sen- 
sors. The Room 
Alert Signal 
Tower includes 
PageR Enterprise 
software for network monitor¬ 
ing and ships with multiple Ethernet 
ports, a multicolor light tower, and an 
optional auditory alarm. A Web-based 
interface lets you set device variables 
and generate graphs and logs of sensor 
activity. Pricing begins at $395 for the 
basic Room Alert Signal Tower, and the 
Room Alert Signal Tower w/Audio lists 
at $495. For more information, contact 
AVTECH Software at 888-220-6700 or 
401 -847-6700, or visit www.avtech.com. 




p 



Founding employees of 
VMware, Inc, which was 
formed in 1998. 


www.windowsitpro.com 


Application Performance 
Management 

Detect and 
Troubleshoot 
Performance 
Problems 

Fluke Networks has announced Visual 
Performance Manager 4.0, the latest 
version of its application performance 
management system. This release incorpo¬ 
rates a new alarm function that combines 
information from multiple data sources— 
including Fluke 
Networks'Visual 
Performance 
Manager Analysis 
Service Elements 
(ASEs)—to find 
application perfor¬ 
mance problems. 

According to Fluke 
Networks, the 
product provides 
visibility of network 
and infrastructure 
performance from 
the data center to 
remote desktops. For more information, 
contact Fluke Networks at 800-283-5853 
or 425-446-4519, or visit www.fluke 
networks.com. 


Security 

Reset User Passwords 

Special Operations Software has launched 

Specops Password Reset, a new product 


that lets end users reset their own system 
passwords and unlock their user accounts 
through a Web-based interface. According 
to the vendor, the product relies on Win¬ 
dows Group Policy and Active Directory 
(AD) for enhanced security and improved 
system integration. You can also configure 
the product to require the use of secret 
questions and cell phone verification codes 
for improved security. For more informa¬ 
tion, contact Special Operations Software 
at 866-857-5325 or 416-849-5325, or visit 
www.specopssoft.com. 


Business Process 
Management 

Discover, Troubleshoot, 
and Visualize IT Business 
Processes 

Fujitsu Computer Systems has 
announced an Automated 
Business Process Discovery 
service that the vendor claims 
will help companies discover 
and visualize complex busi¬ 
ness processes. The service 
pulls data from an organi¬ 
zation's IT infrastructure, then analyzes 
that data to display business workflows. 
According to Fujitsu, the service has 
helped early customers improve business 
processes, spotlight points of potential 
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risk, and streanniine processes for greater 
efficiency. Fujitsu Computer Systems is 
currently providing a free trial of the Auto¬ 
mated Business Process Discovery service 
to North American customers. For more 



information, contact Fujitsu Computer Sys¬ 
tems a t interstage@us.fujitsu.com or visit 
www.computers.us.fujitsu.com . 


Data Center Management 

Monitor Power Consumption 

DSView 3 Power Manager is a new plug¬ 
in for Avocent's DSView 3 management 
software that lets IT pros monitor power 
consumption in their data centers. This 
new plug-in can collect and report on 
power information from individual serv¬ 
ers to the entire data center, providing 
information about energy consumption, 
cooling problems, outage risk, and other 
power-related topics. The software can 
convert information about electrical usage 
by kilowatt (kW) to kilowatt hours (kWh) 
and features a power-cost calculator that 
lets IT pros monitor their energy expendi¬ 
tures. For more information, contact Avo- 
cent at 866-286-2368 or 256-430-4000, or 
visit www.avocent.com. 



Emails sent to the Windows 
IT Pro products inbox over 
Memorial Day weekend. 


Help Desk 

Manage Help Desk Requests with Outlook 

Crow Canyon Systems (CCS) has announced CCS HelpDesk 4.0, the latest update to 
its FlelpDesk family of products. The product is available in Lite and Standard editions, 
with a Web-based Pro edition expected to ship in Q3 2008. All versions of the product 
feature additional Flelp ticket notification and logging options, as well as streamlined 
ticket assignment, closer integration with the Microsoft Office Outlook calendar, an 
enhanced knowledge base, and resolution tracking and ticket workflow improve¬ 
ments. Pricing for both Lite and Standard editions of CCS FlelpDesk 4.0 begins at $295. 
For more information, contact Crow Canyon Systems at 925-478-3110, or visit 
ww w.c ro wca nyo n .co m. 
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Networking Hardware 

Gigabit Ethernet Workgroup 
Switches 

New from Enterasys Networks is the 
Enterasys D-Series family of Gigabit 
Ethernet enterprise workgroup switches. 
This new product family includes redun¬ 
dant power supplies and supports IEEE 
802.3af Power over Ethernet (PoE) options 
for improved support of wireless Access 
Points and other devices needing a PoE 
connection. According to Enterasys, the 


D-Series can detect and classify a vari¬ 
ety of data types, including video, data, 
and voice applications. It has 12 RJ-45 
10/100/1000Mbps copper ports, as well 
as two Small Form-Factor Pluggable (SFP) 
slots for multi- or single-mode Gigabit 
Fibre Channel connectivity. Pricing for the 
Enterasys D-Series begins at $100 per port. 
For more information, contact Enterasys 
at 877-801 -7082 or 978-684-1000, or visit 
www.enterasys.com. ^ 
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INDUSTRY BYTES ■ 


■ Flying Pigs at ■ Ekahau, Phone- 

MMS Factor at Interop 


INSIGHTS FROM THE INDUSTRY 


MMS 2008 and Interop: Fear, 

Loathing, and Flying Pork in Las Vegas 


The Windows IT Pro editorial team recently 
descended on Las Vegas to cover the 
Interop and Microsoft Management Summit 
(MMS) trade shows. MMS focuses primarily 
on the Microsoft System Center family of 
products, while Interop 
covers the much 
broader area of IT 
interoperability. Both 
shows had interesting 
products on display, 
but perhaps the 
week's biggest news 
was represented by a 
plastic pig given out by 
Microsoft at both events. 



Microsoft + 

Linux = Flying Pig 


MMS 2008: Beware the Flying Pork 

My, how times have changed. A few years 
ago, Microsoft CEO Steve Ballmer was 
quoted as saying that Linux was "a cancer 
that attaches itself in an intellectual prop¬ 
erty sense to everything it touches."The 
attitude behind that sharply-worded jab 
at Linux seemed forgotten at MMS 2008, a 
venue Microsoft used to unveil some exten¬ 
sions to its Microsoft System Center family 
of products. The highlight of MMS was the 
Cross Platform Extensions for Microsoft 
System Center 2007, which allows System 
Center to monitor and manage Linux, UNIX, 
HP-UX 11 i, and Sun Solaris 10 assets in a 
heterogeneous IT environment. 

The announcement of the Cross Plat¬ 
form Extensions beta shed some additional 
light on the raft of patent-sharing agree¬ 
ments Microsoft made months ago with 
Novell, Sun Microsystems, and other Linux/ 
UNIX vendors. During the MMS keynote, 
Microsoft Senior Vice President of Server 
and Tools Bob Muglia stressed that these 
new extensions should help customers 
familiar with the Windows platform more 
easily administer heterogeneous IT envi¬ 


ronments. Muglia joked that he hoped the 
audience would choose to manage more 
Windows assets than non-Windows ones, 
but the message was clear: Microsoft cus¬ 
tomers requested the functionality, and 
Microsoft—in a move 
unthinkable just a few 
years ago—obliged 
by adding the 
requisite hetero¬ 
geneous-platform- 
management pieces 
to System Center. 

The winged plastic 
pigs handed out at MMS 
and Interop were a particularly appro¬ 
priate trade show giveaway and helped 
serve as an obvious (and bright pink) physi¬ 
cal manifestation of two important things: 
First, Microsoft has unarguably mellowed 
its stance on working with Linux and other 
non-Windows machines. And the second? 
That this often humorless (and hypercom- 
petitive) software giant might finally be 
developing a long-overdue sense of self- 
deprecating humor. Perhaps pigs did need 
to fly before someone could say that, and I 
have proof—I saw the winged swine with 
my own eyes. 

Interop: Two-Factor Phone Security 
and Asset Tracking 

While MMS invaded the Venetian, Interop 
occupied the Mandalay Bay convention hall 
at the other end of the Vegas strip. Interop 
was larger than MMS, and the scope was 
broader. (The press room at Interop was 
bigger and had better food for the hungry 
mass of ill-tempered tech journalists, but I 
digress.) 


Jeff James | jjames@windowsitpro.com 


The Interop expo was awash with ven¬ 
dors, and a few companies in particular had 
some novel products on display. One was 
Ekahau, a small firm that provides Wi-Fi- 
based Real Time Location Systems (RTLS). 
Here's how they work: You affix an Ekahau 
tag to a valuable asset, and the tag begins 
broadcasting a Wi-Fi signal. An Ekahau RTLS 
agent installed on a PC within the enterprise 
continuously tracks the location of the tag, 
allowing IT admins to monitor the location 
of those tags with Web-based management 
software. Ekahau Marketing Manager 
W. Judson Vaughn said that the healthcare 
industry was one of the company's biggest 
markets, as hospitals tend to have expen¬ 
sive mobile equipment that needs to be 
located quickly. Ekahau's solution looks like 
an inexpensive way to keep a handle on the 
exploding number of portable devices that 
IT pros are asked to maintain and manage. 

Another intriguing product was Phone- 
Factor, a two-factor security solution from 
Positive Networks. The 
system consists 
of a software 
agent, which 
is installed on 
a host PC and 
lets admins 
add users and 
change distribu¬ 
tion lists, and a cell 
phone. After the agent is 
installed and configured, users can log on to 
their system as usual by entering their user- 
name and password. The user immediately 
receives a phone call from PhoneFactor, 
which requires the user to press the phone's 
# key to confirm the authentication and 
complete the logon. The basic PhoneFactor 
system is free, although Positive Networks 
does offer an enhanced version for enter¬ 
prises that—for a nominal fee—provides 
integration with Windows Terminal Services 
and support for VPNs and Outlook Web 
Access. ^ 

—^Jeff James 
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Paul’s Picks 


LAN Desk 

Application 

Virtualization 

Following is a summarized version of Michael 
Otey's review of LANDesk Application Virtual¬ 
ization. To read the full-length version of the 
article, go t o www.windowsitpro.com and enter 
InstantDoc ID 99105. 

Application virtualization truly marks the 
end of DLL Hell, enabling applications to be 
installed and used without making changes 
to the base Windows OS. I tested LANDesk 
Application Virtualization, one of the 
next-generation application-virtualization 
products. It uses VM ware's Thin stall technol¬ 
ogy, which provides a Virtual OS (VOS) that's 
very lightweight, with a virtual registry layer 
and a virtual file system layer, and which 
performs EXE process and DLL loading. 
Unlike other application virtualization solu¬ 
tions, LANDesk Application Virtualization 
doesn't require a client to be installed on 
the target system. 

I installed LANDesk Application Virtual¬ 
ization on a 32-bit Windows Vista Business 
system with 1GB of RAM running an Athlon 
3000 -f processor. The LANDesk Application 
Virtualization installation ran off a USB key. 
Active Directory (AD) isn't required. Getting 
started with LANDesk Application Virtualiza¬ 
tion wasn't intuitive. The Quick Start guide 
provided as a Microsoft Word document 
stored on the USB key was written assum¬ 
ing you were familiar with the product 
and offered no overview of the process 
required to use the LANDesk Application 
Virtualization product. The information was 
also incorrect, referring toThinstall in places 
rather than LANDesk. Fortunately, the 
online help offered a very informative 
video that showed how to create virtual 
applications. 

Using LANDesk Application Virtualization 
requires two systems: a desktop system to 
build the virtual applications (and where you 
install the LANDesk Application Virtualization 
software), and a clean system to record the 


system changes that occur when you install 
the programs that you want to virtualize. 

To begin, you share the LANDesk directory, 
then go to the clean machine and launch 
the Setup Capture program from the shared 
directory. 

The Setup Capture program involves a 
multi-step process in which you first take 
a pre-installation snapshot of the clean 
machine, install the application to be 
virtualized, and perform any application 
customization that you want. Then you 
take a post-installation snapshot, which 
creates a directory consisting of all of the 
system changes made by the installed 
applications. Within the generated 
directory a build.bat file creates the virtual 
application. 

I was able to create my first virtual appli¬ 
cation in about 10 minutes. Deploying the 
application is as simple as copying the gener¬ 
ated executable file to the target system and 
running it. 

I highly recommend LANDesk Virtual 
Application, especially if you don't want to 
deal with complex infrastructure and client 
application requirements. Deploying apps 
was incredibly easy. ^ 

InstantDoc I D 99105 


LANDesk Application 
Virtualization 

PROS: No client software needed; complete 
application sandboxing; enables the creation of 
USB applications 

CONS: Multi-step manual creation process for 
virtual applications; manual shortcuts required 
for virtualized applications 

RATING: 

PRICE: $39 per client 

RECOMMENDATION: LANDesk is a terrific 
product for companies just getting started with 
application virtualization. It's reasonably priced 
and provides the same essential benefits as 
more costly solutions such as Microsoft SoftGrid 
Application Virtualization but has none of the 
complex infrastructure requirements. 

CONTACT: LANDesk • www.landesk.com • 
800-982-2130 
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SUMMARIES of in-depth product reviews^ 
on Paul Thurrott's SuperSite for Windows 

Microsoft Forefront Code Name 
Stirling Preview 

PROS: Now more integrated than before; 
can automatically respond to threats; highly 
configurable 

CONS: Beta version shouldn't be deployed in 
production environments; many admins won't 
trust automatic response mechanisms at first 

RATING: N/A 

RECOMMENDATION: For the first time 
in Microsoft Forefront Code Name Stirling, 
Forefront's various tools talk to each other 
over logical assessment channels and respond 
automatically to threats. Also within Stirling, 
Microsoft ISA Server and Intelligent Application 
Gateway are morphing into a consolidated 
product called Forefront Threat Management 
Gateway, orTMG, which will provide a firewall, 
Web antivirus, and remote access protection. 

CONTACT: Microsoft • www.microsoft.com • 
800-426-9400 

DISCUSSION: www.winsupersite.com/ 
showcase/forefront_sti rl ing_preview.asp 

Celio Technology REDFLY Mobile 
Companion 

PROS: Provides full keyboard and a bigger 
screen for use with Windows Mobile smart 
phones; excellent performance 

CONS: Works with limited range of devices; 
Windows Mobile application software is less 
powerful than non-mobile Windows software 

RATING: ♦♦♦♦O 

RECOMMENDATION: The REDFLY is a 
mobile companion for Windows Mobile 
devices. It's a small laptop-like device with 
a full keyboard, trackpad, and an 8-inch 800 
x 480 screen. It tethers to your smart phone 
wirelessly via Bluetooth or USB. With no 
onboard storage, the REDFLY is easier and less 
expensive to manage than a true laptop, and 
if you lose it, there's no chance of data loss. It's 
limited, however, by Windows Mobile: In many 
cases, Microsoft Office Mobile and Pocket 
Internet Explorer are simply insufficient for a 
typical road warrior's needs. Still, the REDFLY 
will intrigue those who like to travel light. 

CONTACT: Microsoft • www.microsoft.com • 
800-426-9400 

DISCUSSION: www.winsupersite.com/ 
reviews/redfly.asp ^ 
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REVIEW* 


KBOX1100 Systems 
Management Appliance 

Plug it in and benefit from a functionality boon 


Following is a summarized version of John 
Green's review of KACE Networks' KBOX 1100. To 
read the full-length version of the article, go to 
www.windowsitpro.com and enter InstantDoc 
ID 98976. 

KACE Networks'KBOX 1000 series of appli¬ 
ances deliver a broad set of standard and 
optional systems management features. I 
tested the KBOX 1100, whose key standard 
features include hardware and software 
inventory, software distribution, PatchLink- 
powered patch management from Lumen- 
sion, and the presentation of information 
from KACE's AppDeploy Live database of 
practical systems management information. 
Reporting, alerting, and role-based permis¬ 
sions are also standard features. There's a lot 
to cover in the KBOX, so let's get right to it! 

Architecture 

The KBOX utilizes agents installed on each 
managed system; the agent communicates 
with the KBOX, returning information about 
the client system's hardware and software 
configuration and managing the installation 
of patches and applications. 

Many of KBOX's features operate as 
scheduled tasks, so you can manage their 
frequency. Automatic installation of the KBOX 
agent and the agentless network IP scan are 
examples of tasks that you might want to 
schedule after hours. KBOX administration 
accommodates distributed environments, 
supporting roles that limit which KBOX facili¬ 
ties a user can access as well as user-defined 
Organizations for grouping managed sys¬ 
tems. To authenticate access, the KBOX uses 
locally administered user IDs or Active Direc¬ 
tory (AD)/LDAP-based authentication. 

Testing 

The KBOX requires minimal initial configura¬ 
tion. After attaching a monitor, mouse, and 
keyboard, I booted the system, then logged 
on and provided standard IP and DNS con¬ 
figuration information. Next, I connected an 
Ethernet cable, rebooted the system, and 
accessed the KBOX's integrated manage¬ 


ment Web site, which was very responsive 
and easy to navigate. Eight buttons along 
the top of the Ul provide access to the 
various functionality areas, and the tabbed 
interface supports major subfunctions. In 
the upper-right corner, a drop-down box 
lets you select the Organization you want to 
work with. Selecting the System OU displays 
configuration screens for system-level KBOX 
parameters. 

The KBOX offers many more features 
than I can describe in this space, so I'll run 
quickly through my experience with some 
of the key features. KBOX's IP Scan can list 
all the systems it finds in DNS records, as 
well as those that respond to Ping and 
SNMP queries, letting you track systems that 
lack an agent. Once the agent is installed, 
a system is deemed a managed system. 
KBOX lets you assign multiple labels to each 
system as a way to flexibly group systems 
for various tasks and reporting. The agent 
collects and maintains detailed information 
about each managed system's hardware 
and software configuration. 

To set up software distribution, you start 
by creating or editing an item on the Inven¬ 
tory area's Software tab to provide KBOX 
with the location of the software-installation 
package. (KBOX supports .exe, .zip, and .msi 
format installation packages for Windows 
systems.) KBOX uploads it, then lets you 
configure how and when KBOX will push 
the installation out to designated (or all 
managed) systems. 

KBOX's scripting features let you build 
scripts for administrative tasks. To do so, 
you use drop-down boxes to select job 
tasks within a phased structure (i.e., Verify, 

On Success, Remediation, On Remediation 
Success, On Remediation Failure).The drop¬ 
down menus make various tasks available, 
depending on the task phase. Scripting 
supports both configuration and security 


policy deployment and enforcement, offering 
capabilities such as managing registry entries, 
starting services, and killing processes. 

To use the patch-management feature, 
which is available in the Security area, you 
subscribe to updates for the OS versions 
you use and, optionally, related application 
program patches. KBOX downloads patches 
nightly and awaits your approval before 
the patches become eligible for deploy¬ 
ment. Once you approve a patch, KBOX 
runs a "detect and deploy" process either 
on demand or as you schedule it. The KBOX 
supplies descriptive information about 
each patch to help you along the approval 
process and provides a set of reports to 
show the status of patches and systems. 

This feature is easy enough to configure and 
use, although it could be improved with the 
addition of a deployment-status screen. 

Minor Quibbles 

The KBOX's broad feature set is remarkably 
easy to use and worked well in my testing. I 
yearned for some kind of event log and list of 
future scheduled events that might help me 
understand and manage KBOX's scheduled 
tasks. However, this shortcoming didn't really 

detract from what the KBOX does wel I. ^ 

InstantDoc ID 98976 


KBOX 1100 Systems 
Management Appliance 

PROS: Broad feature set includes hardware/soft¬ 
ware inventory, software distribution, and patch 
management; easy to implement; responsive 
Web-based management console 

CONS: Lacks a time-stamped log of management 
events and a consolidated list of scheduled events 

RATING: ♦♦♦♦O 

PRICE: Starts at $9,900 with 100 managed 
nodes; KBOX 1200 starts at $21,150 with 100 
nodes; V-KBOX 1100 (a VM version) starts at 
$8,900 with 100 nodes; V-KBOX 1200 starts at 
$18,800 

RECOMMENDATION: KACE's easy-to-imple- 
ment and easy-to-use systems management 
solution comes highly recommended. You'll 
appreciate the reduced learing curve of its inte¬ 
grated feature set. 

CONTACT: KACE Networks • www.kace.com • 
877-646-8366 
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A S the established leader in 
the enterprise virtualization 
market, VMware's ESX Server 
sets the bar for Microsoft's 
new Hyper-V technology. In 
“Virtualization Shootout, Part 
1" (June 2008, InstantDoc I D 98879) , 1 exam¬ 
ined the two products' features, setup, basic 
management, and price. 1 found the products 
to be roughly equal—even though the Hyper- 
V version 1 tested was the beta version that 
Microsoft released with the initial Windows 
Server 2008 launch, Hyper-V was definitely 
in the same ballpark as the more mature 
ESX Server 3.5.1 did find ESX Server easier to 
install and get running, and its management 
console is more polished and professional. 

Although Hyper-V was a bit more difficult to 
set up, its feature set was directly comparable to ESX Server's. Both products are capable of running Windows 
and Linux OSs, and both support highly scalable 64-bit hosts and guests with up to 64GB of RAM per virtual 
machine (VM). Hyper-V looks good on paper, but the only way to truly know if it's roadworthy is to take it 
out for a test drive and see if it can match the performance levels set by ESX Server. 

Start Your Engines 

1 originally attempted to conduct the Hyper-V testing using the Server Core version. However, 1 ran into a lot 
of trouble getting Hyper-V set up and running on Server Core. 1 had no problem installing the OS or imple¬ 
menting the virtualization role, but the remote management capabilities for Hyper-V on Server Core were 
MIA. Remote management is mandatory for Server Core because Server Core doesn't provide a graphical 
interface. I'm sure much of the problem stemmed from the code's early release state. Eor more information 
about Hyper-V's remote management capabilities on Server Core, see the sidebar “The Good, the Bad, and 
the Ugly," page^. Because of time constraints, 1 ended up running Hyper-V on a full Windows Server 2008, 
Enterprise Edition installation—which theoretically shouldn't make much difference because the Hyper-V 
hypervisor runs beneath the OS and the Windows Server management partition runs in a VM by default. 
However, using the full Server 2008 OS installation increases the overall system memory requirements, as 
well as increases the system's attack surface and the need for patching. 

Before beginning the performance testing, 1 needed to create a set of VMs on each platform. 1 started my 
testing with ESX Server and used the Virtual Infrastructure Client to create eight VMs. Using eight VMs is rep¬ 
resentative of a small-to-midsized business's requirements. In addition, using eight VMs takes advantage of 
Server 2008 Enterprise's licensing model, which allows four active AAffiidows instances running in VMs with 
no additional licensing. Using eight VMs requires two Server 2008 Enterprise licenses. Eor more information 
about licensing costs for my test scenario, see “Virtualization Shootout, Part 1" (June 2008, InstantDoc ID 
98879). 


Microsoft 
Hyper-V vs. 
VMware ESX 
Server 3.5 

by Michael Otey 

Editor's Note: Note that 
the version of Hyper-V 
that was tested in this 
review was a beta. 
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■ VIRTUALIZATION SHOOTOUT 


The Virtual Infrastructure Client con¬ 
nected immediately and was responsive, 
although a bit of delay sometimes occurred 
between status refreshes. The embedded 
console allowed immediate connection to 
the VMs and was also quite responsive. The 
hot-key sequence was the familiar Ctrl+Alt 
and Ctrl+Alt+Ins key combinations. Chang¬ 
ing the boot source was quick and easy 
using the VM settings. One nice feature was 
the ability to connect the VM to either the 
local client's CD-ROM/DVD drive or the 
host's CD-ROM/DVD drive. Another nice 
feature of the Virtual Infrastructure Client 
was the activity log at the bottom of the con¬ 
sole, which you can see in Figure 1. Finally, 
clicking the Performance tab showed a 
graphical representation of the host and 
guest VMs, with the option to select different 
sets of performance counters. 

A couple of issues that I ran into with 
ESX Server were remotely connecting to the 
native console and copying VMs between 
servers. ESX Server doesn't have Remote 
Desktop like Windows Server, and there's 
no built-in File Explorer or FTP server. How¬ 
ever, a couple of useful and free add-ins for 
ESX Server address these issues. For more 
information about these tools, see the Web- 
exclusive sidebar "Free ESX Server Manage¬ 
ment Add-ons" (www.windowsitpro.com, 
InstantDoc I D 99250) . 

The basic VM creation and management 
using Hyper-V Manager was straightforward 
and easy. However, I found Hyper-V Manager 
to be less functional and less well thought out 
than the VMware management console. Like 
comparing a Toyota to a Ferrari, it seemed 



easy installation; a polished management console 
CONS: Somewhat limited hardware support 

RATING: ♦♦♦♦♦ 

PRICE: $1,640 for Virtual Infrastructure 
Foundation, with 1 year of support; $2,640 with 3 
years of support 

RECOMMENDATION: ESX Server is great for 
medium and large businesses looking for perfor¬ 
mance and manageability. 

CONTACT: VMware • 877-486-9273 • 
www.vmware.com 


The Good, the Bad, 
and the Ugly 

Conducting performance testing between Hyper-V and ESX Server 

was definitely an interesting experience. My tests revealed a number of unexpected results, 
including the following: 

The good, ESX Server and Hyper-V both deliver excellent levels of performance and there's 
no question that either of these products can be used to run large numbers of production-level 
virtual machines (VMs). Although the number of VMs that I used for testing was optimized 
around the amount of RAM available in the host and the way a small-to-midsized business 
would be likely to try to take advantage of Windows Server 2008 Enterprise Edition's licens¬ 
ing, both products' performance was clearly acceptable for production-level file and database 
serving. 

The bad. One of the things that surprised me the most in my testing was the tremendous 
performance difference from the different client systems. Overall, it's no surprise that the Win¬ 
dows XP client I used outperformed the Windows Vista clients by a notable margin. However, 
one Vista client in particular didn't perform well in the Hyper-V database tests. If I find the cause 
of this problem I'll post it to my blog, "Making IT Work" (windowsitpro.com/blog/index.cfm? 
action=bloaindex&DeDartmentlD=1092). 

And the ugly, Hyper-V's remote management capabilities really hinder the prerelease ver¬ 
sion of the product—especially when attempting to run Hyper-V on Server Core. VMware got 
this part right. Downloading and running the ESX Server Virtual Infrastructure Client is drop- 
dead simple. Getting the required remote connection to work for Hyper-V and Server Core 
requires a strong mixture of rocket science, voodoo, and lots of luck. I found John Howard's 
(senior program manager for Hyper-V) 17-step (I kid you not) process for getting Hyper-V 
remote management to work ("Part 3—Hyper-V Remote Management: You do not have the 
requested permission to complete this task. Contact the administrator of the authorization 
policy for the computer'COMPUTERNAME,'" blogs.technet.com/jhoward/archive/2008/03/30 
.aspx). But it didn't work for me. This would be a real show stopper for Hyper-V and will obvi¬ 
ously have to be fixed before the final release. However, it did make me appreciate VMware's 
simple and functional delivery of the management client. 

InstantDoc ID 99249 



Figure 1: ESX Server VM settings 
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Figure 2: Hyper-VVM settings 

that Hyper-V Manager was forced to fit inside 
a generic Microsoft Management Console 
(MMC) 3.0 fi-amework, whereas the VMware 
Virtual Infrastructure Client was specifi¬ 
cally designed for VM server management. 
Hyper-V's Snapshotpane in particular seemed 
poorly positioned. The VMware Virtual 
Infi-astructure Client had a professional feel 
that Hyper-V Manager just doesn't possess. 
Hyper-V Manager had minimal server perfor¬ 
mance information. Apparently in an effort to 
keep IT pros on their toes, the hot-key sequence 
inside the console was also changed from the 
old Virtual Server and Virtual PC standards to 
a new Ctrl+Alt+End and Ctrl+Alt+Left Arrow. 
1 also ran into problems installing the Virtual 
Machine Integration Services (formerly called 
Virtual Machine Additions); the different 
VMs had confiicts sharing the vmguest.iso 
file that is used to install Integration Services. 
This is certainly an early-code problem, 
but it caused me trouble nevertheless. 
Hyper-V's new VM settings, which you can 
see in Figure 2, are better and more useful 
than Microsoft Virtual Server 2005's settings. 
One very welcome new feature, which is also 
available in ESX Server, is Hyper-V's ability to 
expand an existing virtual hard disk. 

Pedal to the Metal 

Performance is where the rubber meets 
the road. 1 tested the two virtualization 
products using an HP ProLiant ML370 G5 


that is a rack-mounted 4U server. The HP 
ProLiant ML370 G5 can run Server 2008 with 
Hyper-V as well as VMware's ESX Server. My 
test unit was equipped with two Intel quad- 
core Xeon processors running at 1.86GHz 
on a l,066MHz front-side bus. The ML370 
G5 came equipped with 8GB of RAM and 
eight 72GB 15,000rpm drives configured 
as a RAID array. Overall, the performance 
level provided by this system exceeded the 
test requirements, leaving headroom for 
additional scalability. 


Hyper-V 

PROS: Very good performance; great price 

CONS: Bad remote management experience; 
needs a better management console 

RATING: 

PRICE: N/A (included with Server 2008) 

RECOMMENDATION: Because of its low cost, 
Hyper-V is great for midsized businesses planning 
to adopt Server 2008. 

CONTACT: Microsoft • 800-642-7676 • 
www.microsoft.com 


To compare the performance of ESX 
Server 3.5 and Server 2008's Hyper-V, 1 con¬ 
figured the eight x64 VMs with 512MB of 
RAM and accepted the default settings for 
new virtual hard drive configuration. 1 used 


external networking that linked the VMs' 
virtual network adapters to the host, letting 
me test the connections from external client 
systems—which is how most organizations 
use production servers in a server con¬ 
solidation environment. All the VMs were 
configured with Server 2008 Enterprise. 

To simulate a mixed workload, 1 set up 
six of the VMs to function as file servers and 
two of the VMs as database servers running 
SQL Server 2005 Enterprise Edition SP2. To 
test the file server performance, 1 used a 
routine that copied a set of 10 files totaling 
about 130MB from the file server to the local 
client's hard drive. Then the files were cop¬ 
ied back to another directory on the server 
and deleted. 1 used a three-second think 
time between all the operations. This rou¬ 
tine was repeated 10 times. To test the SQL 
Server workload, 1 used 27 different queries 
running against the sample AdventureWorks 
database. Although the bulk of the workload 
was data retrieval, the batch also contained 
a couple of loops and four SELECT INTO 
statements to add some computational 
and data modification operations. A think 
time of three seconds was inserted between 
each database interaction. The clients used 
SQLCMD to launch the workload against 
the two SQL Server systems. Each client ran 
a test against one of the files servers and two 
tests with the two SQL Server systems—for a 
total of 10 jobs in each test batch. The entire 
series was repeated three times and the 
results were averaged. The order in which 
each client ran jobs against the VM hosts 
was varied for each run. 

The final performance measurement 
that 1 compared was the total time required 
to run all the workloads to completion. 1 
compared both the total aggregate time for 
all workloads and the individual time for the 
workload run by each VM. Figure 3, page 
shows a graph comparing the performance 
of the two platforms. 

1 measured the results in seconds down 
to a hundredth of a second. Perhaps surpris¬ 
ingly, Hyper-V consistently delivered bet¬ 
ter performance in the file server portion 
of the combined tests, consistently edging 
out ESX Server by a range of 1 percent to 5 
percent depending on the VM. However, 
just as surprisingly, VMware's ESX Server 
delivered notably better performance than 
Hyper-V in the SQL Server database tests. 
For the database performance, ESX Server 
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Figure 3: Individual VM performance comparison 

averaged 36 percent to 39 percent better 
than Hyper-V These results were somewhat 
surprising because I had recently conducted 
a set of SQL Server-only tests for SQL Server 
Magazine, in which ESX Server averaged just 
4 percent better performance than Hyper- 
V However, the workload was different in 
these tests. This time, 1 was performing a set 
of mixed file serving and database serving. 
Closer analysis of the results showed that one 
database client was slower using SQL Server 
under Hyper-V than ESX Server. The cause 
of the difference wasn't clear. The client's 
file system tests were the same for both plat¬ 
forms. There was no change on the client, and 
the results were consistent over all three test 
sets and both database servers. Rerunning 
the tests produced similar results. Discount¬ 
ing that client's test 
results, the differ¬ 
ence was about 1 
percent in favor of 
ESX Server. Figure 
4 shows a summary 
of the combined 
test results. 

Combining the 
total of all work¬ 
loads and all tests, 

ESX Server finished 
with a 4 percent 
advantage over 
Hyper-V. Although 
ESX Server held the 



performance advantage, the two platforms 
were definitely comparable even under load. 
Hyper-V did show an advantage in certain 
parts of the tests. And because my testing was 
done with the early release Hyper-V code, the 
final release might change these test results. 

The Victory Lap 

Overall, my editor's choice and the check¬ 
ered flag go to ESX Server. Here's a break¬ 
down of my take on some of the important 
differentiating features of each product. 

• Installation and Setup—ESX Server 
took this category hands down. Instal¬ 
lation was much faster and setup was 
much easier. No rebooting was required. 
Remote management setup was drop- 
dead simple. 


Virtual Server Host Management— 
Hyper-V took this category. 1 used 
the full installation of Server 2008 
Enterprise, so all the Windows 
Server management tools and capa¬ 
bilities were available, complete 
with a graphical interface. 

VM Management—ESX Server was 
a clear winner in this category. After 
working with ESX Server 3.5 and 
the Virtual Infrastructure Client, 1 
must admit that 1 really liked it. It 
was manageable, predictable, and 
polished. Hyper-V Manager seemed 
a bit clunky in comparison. 
Performance—ESX Server showed 
a slight advantage here but Hyper-V 
really held its own in the perfor¬ 
mance department. 

Price—Hyper-V held a clear advan¬ 
tage in this category. Most organiza¬ 
tions will eventually move to Server 
2008, which includes Hyper-V. 


Both Microsoft's Hyper-V and VMware's 
ESX Server provide excellent levels of perfor¬ 
mance. For midsized and large businesses, 
ESX Server 3.5 coupled with the mature 
Virtual Infi'astructure 3 management suite 
provides a more feature-rich—albeit more 
costly—platform for enterprises and mid¬ 
sized businesses. In addition, ESX Server has 
a mature eco-structure of support products 
that can help organizations with a variety of 
management operations, including backup, 
disaster recovery, and security. However, 
1 found Hyper-V to be very compelling for 
midsized businesses—especially those orga¬ 
nizations just getting into virtualization and 
those making the move to Server 2008. The 
fact that Hyper-V is bundled in with Server 
2008 makes the price point very 
attractive. In addition, the prod¬ 
uct offered good performance 
and easy management. ^ 
InstantDoc ID 99248 


ESX Server 


Hyper-V 


File 



Michael 
Otey 


Figure 4: Combined performance comparison 


(nnikeo@windowsit 

pro.com) is techni¬ 
cal director for 
Windows IT Pro and 
I SQL Server Maga¬ 
zine and author 
of Microsoft SQL Server 2008 New Fea¬ 
tures (Osborne/McGraw-Hill). 


JULY 2008 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 











































BUYER’S GUIDE* 


Event-Log 

Managers 


Quickly turn mountains of 
data into a goldmine of useful 
security, compliance, and 
analysis information 

by Karen Bemowski 


Editor's Note: The Buyer's Guide presents vendor-submitted informa¬ 
tion. To find out about future Buyer's Guide topics or to learn how 
to include your product in an upcoming Buyer's Guide, go to www 
. windowsitpro.com/buyersguide. 

I f a network has 7 servers, and every server has 7 event logs that 
all run 24 x 7, and there are 7 entries per hour, how many event 
log entries would you have in 7 days? A number that would 
make any administrator cringe: 8,232 log entries every day and 
57,624 log entries per week. Windows event-log data is helpful 
for monitoring system performance, confirming regulatory 
compliance, and other tasks, but reviewing the mountains of data these 
logs produce can be fiiistrating and time consuming. 

Fortunately, event-log management products—also known as 
event-log managers—can quickly turn that mountain of data into a 
goldmine of useful information with litde administrative effort. While 
you follow your daily routine, event-log managers automatically 
monitor your Windows logs and alert you to system problems. They 
can automatically filter and consolidate data so you can troubleshoot 
performance problems and identify possible security risks. They can 
even automatically produce reports to help you identify trends and 
document regulatory compliance. Use the introductory questions 
to determine the features you need, then go online and review the 
product chart to find the right solution for your environment. 

Features Abound 

There are many event-log managers available, each with different 
capabilities. To narrow your search, you can start by answering the 
following questions to determine your most important needs, and 
the features that meet those needs. 

Do you want to use agentsfln agent-based setups, you install an 
agent on all computers you will monitor. Agentless products use at 
least one server or workstation to monitor the network servers and 
workstation event logs. 

What do you need to monitor? Most event-log managers moni¬ 
tor the Windows Application, Security, System, Directory Service, 
DNS Server, and File Replication Service logs. Some event-log man¬ 
agers also monitor application logs, such as Microsoft application 
logs (e.g., ISA Server, SQL Server), and third-party applications logs 
(e.g., Linux antivirus software). 


Do you want to filter and consolidate events? Event filtering 
sorts and singles out events based on their content. Filtering is nec¬ 
essary if you want to generate alerts triggered by specific error codes 
or event-description keywords. Event consolidation eliminates 
redundant reporting of repeating events. 

What do you want to happen when an event occurs? All but 
one of the event-log managers described in the Buyer's Guide chart 
offer some type of automatic alert. The nature of alerts varies from 
sending an email message to having a scrolling LED on a marquee 
sign. Some event-log managers let you use an executable (e.g., 
script, program) to customize alerts. If you want a specific action 
to occur when an event happens (e.g., shut down a server, stop a 
service), look for products with the automatic actions feature. 

What type of reporting capabilities do you want? Event-log 
managers featuring automatic report generation can provide you 
with prebuilt reports, such as logon-failure reports and daily speci¬ 
fied event reports. If your company must provide proof of compli¬ 
ance for regulations such as the Gramm-Leach-Bliley Act (GLBA) 
or the Sarbanes-Oxley (SOX) Act of 2002, check out the products 
with compliance reporting features. If you need to see event trends 
over time, event-log managers with historical trending would be 
advantageous. If you have special reporting requirements, some 
products let you design custom reports. 


A Good Start 

Getting a better idea of your needs and the various solutions' fea¬ 
tures will get your search for an appropriate event-log manager off 
to a good start. You can use an event-log 
management product to set up custom alerts 
and reports so you can learn of problems 
sooner and analyze trends for better plan¬ 
ning. You'll find expanded reviews for some 
of the Buyer's Guide chart products in the 
"Related Articles" section of the online ver¬ 
sion of this article. ^ 
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Use the Buyer's Guide 
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.windowsitpro.com/ 
article/articleid/99062 
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managers from 19 
vendors, and find the 
right solution for your 
environment. 
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■ WHAT’S HOT 
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READERS REVIEW HOT PRODUCTS 


Secure Firewall 

As many IT pros can attest, a growing IT 
infrastructure presents challenges. Steve 
Greenberg, the IT security manager for 
Frontier Airlines, found himself facing an 
infrastructure of mismatched firewalls 
and other security products from a vari¬ 
ety of vendors. 

"We wanted to 
consolidate and 
move to a more 
robust set of 
security products 
as we contin¬ 
ued to grow," 
says Greenberg. 

"Consolidation 
is good, and we 
took advantage 
of that consolida¬ 
tion to standard¬ 
ize on a limited 
number of secu¬ 
rity products." 

The firewall 
that Greenberg 
standardized on 

was Secure Computing's Secure Firewall, 
chosen partly for its impressive 
performance under attack during a 
hacking challenge conducted at a recent 
Black Hat security expo. "I remember 
people trying to hack that firewall, and 
nobody was able to deface the protected 
Web server or get to any files on the net¬ 
work," says Greenberg. "That definitely got 
my attention." 

Installation and configuration of Secure 
Firewall initially gave Greenberg pause, as 
the sheer number of options and features 


made configuring the product a bit over¬ 
whelming. At first, Greenberg thought he'd 
need on-site help from Secure Computing 
to complete the deployment. However, 
good technical support and additional 
training helped Frontier surmount the ini¬ 
tial learning curve. 



_ "I remember 

people trying to 
hack that firewall, 
and nobody was 
able to deface the 
protected Web 
server or get to 
any files on the 
network. That 
definitely got my 
attention." 


Wanted: Your Real-World Experiences with Products 

Have you discovered a great product that saves you time and money? Do you use 
something you wouldn't wish on anyone? Tell the world in a review right 
here in What's Hot: Readers Review Hot Products. If we publish your opinion, | 
we'll send you a Best Buy gift card and a free VIP subscription to Windows IT 
Pro\ Send information about a product you use and whether it helps you or 
hinders you to whatshot(S)windowsitpro.com. 
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WHAT’S NOT 

(TECHED 2008 EDITION) 


The 

Retirement 
of Bill Gates 

Bill Gates made 
his last trade 
show appearance 
as a Microsoft 
employee at Tech 
Ed Developers 
2008. Gates has 
served as the 
favorite target 
of griping mal¬ 
contents from 
the Mac, Linux, and open-source 
communities for years. Nattering 
nabobs aside. Gates—along with 
Steve Ballmer and Paul Allen—has 
done more to create the IT infrastruc¬ 
ture of today than anyone else. The 
Gates Foundation (and the world's 
poor) may benefit from Gates leaving 
Microsoft, but I'm sure he'll be missed 
in halls of Redmond. 

Smartphone Battery Life 

My current Treo smartphone battery 
retains energy about as well as I do 
after racing up a flight of stairs. (That 
isn't a compliment.) Huge strides 
have been made in battery life over 
the past few years, but much more 
clearly needs to be done. I predict 
the company that cracks the battery 
code first will reap huge rewards.... 

Florida Weather 

My flight to Orlando for Tech Ed 
Developers 2008 was literally 10 feet 
off the ground, then our pilot got 
spooked by the bad weather, hit the 
throttle, and diverted us to Tampa. 
We eventually ended up safe and 
sound in Orlando—thanks to the 
skill and judgment of our pilots—but 
the experience made me wonder if 
Florida ever has calm weather. It's a 
beautiful state with friendly people, 
but don't count on the weather 
being predictable. 
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■ WHAT’S HOT 


FileBoss 2.0 


Trade magazines such as ours are filled with advertisements from 
vendors offering good but often pricey solutions to IT problems. 
Yet sometimes an inexpensive (or free) utility can fill the bill just as 
well, as Vincent Napoli discovered when he found the FileBoss 2.0 
file management utility from The Utility Factory. 

Napoli needed a way to search large numbers of 
files to comply with a Freedom of Information Act 
request. "[Using FileBoss 2.0] I was able to search 
for a specific text string in large volumes of files," 
says Napoli. "This cut down time spent search¬ 
ing through 
countless days 
of archived, 
emailed files." 

Napoli found the 
installation and 
deployment of 
the software to 
be "extremely 

easy" and the application to be 
easy to learn and use. His favor¬ 
ite features are the program's 
ability to quickly find text 
strings and how it manages 
the results of searches and file copies. "After a search is complete, 
[FileBoss] creates virtual folders—multiple instances of different 
searches—allowing me to work with many searches at once. I 
can also copy files to a given folder and FileBoss will allow me to 
rename duplicate files.. ..This was very useful since my email server 
sometimes uses the same filename on different days." 

Napoli wishes FileBoss had automatic notification of new 
program updates, but on the whole he's pleased with his $49.99 
investment. "I'm happy with FileBoss so far, [although] I'm still 
exploring its features. I haven't found a feature yet that's made me 
say, 'Man, I wish that was better,"' he says. 


"I haven't 
found a 
FileBoss 
feature yet 
that's made 
me say,'Man, 
I wish that 
was better.'" 
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Strata Guard and Safe 
Access 

Keeping network data secure 
is an important task for any IT 
pro, regardless of where that 
network resides. In the case of 
Chip Ganassi Racing, the net¬ 
work could be trackside at the 
Daytona 500 or in the infield 
at the Indianapolis Motor 
Speedway. 

Michael Carbone, manager of information technology at Chip 
Ganassi Racing, manages the IT infrastructure for the company's 
three brick-and-mortar locations, as well as the team trans¬ 
porters that support Ganassi racing efforts at trackside. As the 
company has grown, expanding its IT infrastructure has become 
a top priority. "We have more than a thousand devices on our 
network now, and we needed to know who's on our network 
and what's happening on the network," says Carbone. "We also 
needed solid network reliability, so we started to look at vendors 
that could help us enlarge our network and secure what we 
had." After looking at about a dozen products, Carbone settled 
on StillSecure's Safe Access Network Access Control (NAC) and 
Strata Guard intrusion detection and prevention products. 

"Installation and setup was straightforward...both products 


READER: 

Michael Carbone 
Manager of Information 
Technology 

PRODUCT: 

Safe Access and Strata Guard 

COMPANY: 

StillSecure 

CONTACT: 

www.stillsecure.com 


WHAT’S HOT* 


were easy to use," says Carbone. "We installed Strata Guard first 
in passive mode so we wouldn't interrupt daily user access and 
began collecting data for areas that we need to work on. We've 
been using the StillSecure products for several months now, and 
we've been happy with the performance." 

Carbone had some suggestions for improving the dashboard and 
key performance indicator modules for Safe Access and Strata Guard 
and pointed to the vendor's customer improvement program as one 
of the most positive aspects of using the products. "With some IT ven¬ 
dors, it seems that nobody ever listens when you have a concern or 
a complaint," says Carbone. "StillSecure does listen, and they've made 
improvements and changes to the product based on our feedback." 

Carbone added that while 

"StillSecure 
does listen, and 


they've made 
improvements 
and changes 
to the product 
based on our 
feedback." 


the easy deployment, good 
performance, and helpful cus¬ 
tomer support were positive 
features of StillSecure prod¬ 
ucts, the deciding factor was 
the value that StillSecure pro¬ 
vided for the price. "I looked at 
more than a dozen products, 
and StillSecure always com¬ 
pared well to them on the 

value and pricing front." ^ 
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Deploy, it is that easyf 
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maZlin^ uddraaf 
or mil us at 
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Full access, one month at a time. 


I The latest digital issue of 
Windows IT Pro 
I 24/7 online access to over 
10,000 Windows IT Pro 
magazine articles 
I Updates and news alerts on the 
absolute latest industry 
developments 


I Interactive blog and forum 
access 

I Product comparisons and 
recommendations 
I Exclusive chats with the Editors 
and industry experts 
I and much much more! 


Sign up today for only US$5.95 per 
. month and start getting quick answers 
! to ALL of your IT questions! 


Windows 


800.793.5697 

www.windowsitpro.com/MonthlyPass 


Are Your IIS Servers Under Atterk? 
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download free trial 

' IIS host ips& application firewall 
' stop known, new & internal threats 
' overcome lapses in patch management 
' reinforce regulatory compliance 

snles(a>privn[vwnre.coiii • www.privacYware.coin • 732.212.81 10 x235 


Manage your 

Windows IT Pro accounts ONLINE 


• View your subscriptions 

• View Customer Service FAQs 

• See when magazines expire 

• Change your address 

• Print an invoice 

• Request missing issues 

• Contact Customer Service 


X 


Sltnlon 

in I 


in IWHUnA 
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__ 
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Check it out today! 


myaccount.pentontech.com 

To login, you will need your customer ID from an invoice or label. 
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DIRECTORY OF SERVICES 


AD INDEX 


Windows IT Pro Network 


For detailed information about products in this issue of Windows IT Pro, visit the Web sites listed below. 


COMPANY/URL _ PAGE COMPANY/URL _ PAGE 


Search our network of sites dedicated to hands-on 
technical information for IT professionals. 

www.windowsitpro.com 

Support 

Join our discussion forums. Post your questions 
and get advice from authors, vendors, and other IT 
professionals. 

www.windowsitpro.com/forums 

News 

Check out the current news and information about 
Microsoft Windows technologies. 

www.wininformant.com 

EMAIL NEWSLETTERS 

Get free NT/2000/XP/2003 news, commentary, and 
tips delivered automatically to your desktop. 
Essential Bl UPDATE 
Exchange & Outlook UPDATE 
.NETBriefing 
Scripting Central 
Security UPDATE 
SQL Server Magazine UPDATE 
Virtualization UPDATE 
Vista UPDATE 
Windows IT Pro UPDATE 
Windows Tips & Tricks UPDATE 
Wininfo Daily UPDATE 

www.windowsitpro.com/email 

RELATED PRODUCTS 

Custom Reprint Services 

Order reprints of Windows IT Pro articles. Contact 
Joel Kirk a t jkirk@penton.com. 

Super CD/VIP 

Get exclusive access to all of our print publications, 
including Windows IT Pro,y\di the new, banner-free 
VIP Web site. 

www.windowsitpro.com/sub/vip 

Article Archive CD 

Access every article ever printed in Windows IT Pro 
magazine since September 1995 with this portable 
and speedy tool. 

www.windowsitpro.com/sub/cd 

SQL SERVER MAGAZINE 

Explore the hottest new features of SQL Server, and 
discover practical tips and tools. 

www.sqlmag.com 

ASSOCIATED WEB SITES 


WindowsDev Pro 

Discover up-to-the-minute expert insights, infor¬ 
mation on development for IT optimization, and 
solutions-focused articles a t WindowsDevPro.com, 
where IT pros creatively and proactively drive busi¬ 
ness value through technology. 

www.windowsdevpro.com 

Office & SharePoint Pro 

Dive into Microsoft Office and SharePoint content 
offered in specialized articles, member forums, 
expert tips, and Web seminars mentored by a com¬ 
munity of peers and professionals. 

www.officesharepointpro.com 
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■CTRL+ALT+DEL 

by Jason Bovberg 


10 IT Truths 
We've Learned 
Along the Way 


Stupid USB Devices 
for the IT Guy 

USB Panic Button awareqeek.com/funny-stuff/usb-panic-button ^ 

USB Laser Guided Missile Launcher www.thinkqeek.conn/qeektoys/warfare/8bc4 

USB ScreenSmasher www.screensmasher.com 

USB Shaver usb.branclo.com.hk/procl_cletail.php?procljcl=00218 ' 



by Eric B. Rux and 
Douglas Toombs 

Two of our intrepid authors 
chime in on what they've 
learned as IT pros. 


USB Mug Warmer w w w.t h i n kq ee k.co m/q a d q ets/e I ect ro n i c/85 b6 
USB Mini Paper Shredder www.usbqeek.com/prod_detail.php?prod_id=0504 
USB BarblG gizmodo.com/gadgets/peripherals/storage/barbie-usb-drive-102600.php 
USBAhsinthe Spoon www.qeeksuqar.com/1568424 


101 Users' Systems Will Sometimes 
Magically Heal Themselves as You 
Walk Up to Them 

The automotive equivalent to this adage 
is, "Well, it was making the noise while I 
was driving here." 

91 Your $99 Fireproof Vault Won't 
Protect Your Backup Tapes 

That vault you bought at the local office 
supply store is rated for keeping paper 
safe—not plastic. Plastic melts at a much 
lower temperature than necessary for 
paper to combust. Invest in a real media¬ 
rated vault or, better yet, find an off-site 
pickup service for your tapes. 


81 Backups Always Work; 

Restores Never Do 

Just because the backup report comes back 
successful doesn't mean everything is right 
in the world. The only way to ensure that you 
can perform a successful restoration is to 
actually try it. 

71 A Filthy Workspace Is a Recipe 
for Disaster 

That 64-ounce Coke shedding dew and bal¬ 
anced precariously above the user's keyboard 
... that houseplant leaking water onto the 
server casing ... that wad of dust clogging up 
the server fan ... you know where this is going. 


41 Users Require Great Care Even 
When They're Lying to Your Face 

Embarrassed or frustrated users sometimes 
don't seem interested in following your 
advice to the letter. Be patient with them, 
and everyone walks away happy. And 
remember: How you say something is often 
more important than what you say. 

31 Know What You Know; 

Know What You Don't Know 

Have you ever gone full speed ahead 
toward a solution even when you're not 
really sure what you're doing? It's OK to 
say, "I don't know, but I can find out." 

21 Never Underestimate the 
Reboot 

Sometimes we forget about this cure-all, 
but remember that administrators have 
been known to coast through entire days, 
just telling callers to reboot their machine. 

11 Sometimes, the Best 
Solution Is Free 

Too often, your first problem-remediation 
technique is to fall back on the vendor- 
based tools that have long histories and user 
communities—and hefty price tags. Try a 
different tactic by scouring the Web for free 
tools that are equally effective. You can start 
with our very own series, "8 Absolutely Cool, 
Totally Free Utilities"(InstantDoc I D 50122) . 


Our 5 Favorite 
Time-Wasting Flash Games 


a 

1 


Bow Man 

bowman.freeonlinegames.com 


Crazy Cube 

games.yahoo.com/free-games/crazy-cube 


Paper Toss 

www.funny-games.biz/paper-toss.html 


Double Wires 

www.addictinggames.com/doublewires.html 


Desktop Tower Defense 
www.handdrawngames.com/DesktopTD/game.asp 


6j When Things Go Awry, 
Blame It on the Guy Who 
Left 

Why take responsibility for your 
mistakes when you can just 
blame the IT guy who went to 
the company next door and is 
now making $20,000 more than 
you? 

51 Never Deploy New 
Patches or Code on Friday 
at 4 PM. 

Unless you can't stand the notion 
of spending the weekend with 
your family. 


July 2008 issue no. 167, Windows IT Pro (ISSN 1552-3136) is published monthly. Copyright 2008, Penton Media, Inc., all rights 
reserved. Subscriptions in US, $54.95 for one year; in Canada, $59 US currency, plus GST for one year; in all other countries, US 
$99. Windov\^s is a trademark or registered trademark of Microsoft Corporation in the United States and/or other countries, 
and Windows IT Pro is used under license from owner. Windows IT Pro is an independent publication not affiliated with Micro¬ 
soft Corporation. Microsoft Corporation is not responsible in anyway for the editorial policy or other contents of the publication. 
Windows IT Pro, 221 E. 29th St, Loveland, CO 80538, (800) 793-5697 or (970) 203-2782. Sales and Marketing Offices: 221 E. 29th 
St., Loveland, CO 80538. Advertising rates furnished upon request. Periodicals Class postage paid at Loveland, Colorado, and 
additional mailing offices. POSTMASTER: Send address changes to Windows IT Pro, 221E. 29th St., Loveland, CO 80539-0447. 
SUBSCRIBERS: Send all inquiries, payments, and address changes to Windows IT Pro, Circulation Department 221 E. 29th St., 
Loveland, CO 80539. Printed in the USA. BPA Worldwide Member 


SEND US YOUR INDUSTRY HUMOR! 

Email your industry humor, scandal¬ 
ous rumors, funny screenshots, favorite 
end-user moments, and IT-related pics 
t o rumors(5)windowsitpro.com. If we use 
your submission, you'll receive a 
Ctrl-hAlt-hDel coffee mug. 
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ALTERNATIVE THINKING ABOUT SERVER MANAGEMENT: 


You don't hove to be in your server room to manage your servers. 


The HP ProLiant DL385 G5 Server, featuring efficient Quad-Core AMD Opteron’’’’'^ processors, lets you manage it from your office in 
San Diego while it sits in Boston. Remote Management (iL02) lets you control, reboot and troubleshoot from practically anywhere, 
even when the server is off. 


Technology for better business outcomes. 



HP ProLiant DL385 G5 

$2525 (Save $1420) 


Lease for as low as $41/mo' for 48 months 
Smart (PN:AG739A) 


I Lease for os low os $63/mo' for 48 months 
Smart’]^ (PN: 464211-005) 

• 2 Quod-Core AMD Opteron™ processors 


• Supports small form factor, high-performance 
SAS or low-cost SATA hard drives 


• 400 GB compressed capacity in half-height 
form factor 


• Redundant Power 

• Integrated Lights-Out (iL02), Systems 
Insight Manager, SmortStort 


Ships with Data Protector Express Software, 
One Button Disaster Recovery, o 1U 
Rockmount Kit, and o Host Bus Adapter 



Get More: 



Smart^^fl 24x7, 4 hour response, 3 years 
(PN: UE894E) $689 

Smart^^n Add 2 GB additional memory 
(PN:408851-S21) $159 


10,000,000 I.T. folks can't be wrong. 
To learn more, call 1-888-233-0071 or visit hp.com/go/clepenclablel9 


Prices shown are HP Direct prices; reseller and retail prices may vary. Prices shown are subject to change and do not include applicable state and local taxes or shipping to recipient’s 
address. Offers cannot be combined with any other offer or discount and are good while supplies last. All featured offers available in U.S. only. Savings based on HP published list price 
of configure-to-order equivalent ($3945 - $1420 instant savings = SmartBuy price of $2,525). 1. Financing available through Hewlett-Packard Financial Services Company (HPFS) to 
qualified commercial customers in the U.S. and subject to credit approval and execution of standard HPFS documentation. Prices shown are based on a lease of 48 months in terms with 
a fair market value purchase option at the end of the term. Rates based on an original transaction size between $3,000 and $25,000. Other rates apply for other terms and transaction 
sizes. Financing available on transactions greater than $349 through July 31, 2008. HPFS reserves the right to change or cancel these programs at any time without notice. AMD, 
the AMD Arrow logo, AMD Opteron, and combinations thereof are trademarks of Advanced Micro Devices, Inc. © 2008 Hewlett-Packard Development Company, L.P. The information 
contained herein is subject to change without notice. 





























Clear the clutter 
with the FREE File Insight 
utility download at 

www.brocade.com/ 

cleartheclutter 







FEEL LIKE YOU’RE STORING EVERYTHING AND MANAGING NOTHING? 

BROCADE FILE SOLUTIONS FOR WINDOWS FILE ADMINISTRATORS CAN HELP. 

With Brocade File Solutions for Windows File Administrators, you can automatically migrate files 
to the optimum types of media based on your rules. Stop spending late nights and weekends 
manually migrating file data and start providing your users with access to the data they need. 
Clear the clutter with the FREE File Insight utility download at www.brocade.com/cleartheclutter 


BROCADE 


© 2008 Brocade Communications Systems, Inc. All rights reserved. Brocade is a registered trademark, and the B-wing symbol is a trademark of 
Brocade Communications Systems, Inc. 






















































































































































































































































































































